GenericBreakGlass
/
GenericBreakGlass-XACML
Archived
2
0
Fork 0
Code Issues Pull Requests Releases Activity

Initial commit: eu.aniketos.securebpmn.xacml.support

This commit is contained in:
Achim D. Brucker 2015-06-01 00:15:57 +02:00
parent ed443202e8
commit 4da3d4e4dd
28 changed files with 2452 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/eu.aniketos.securebpmn.xacml.parent/pom.xml
View File

@ -13,6 +13,7 @@
<module>../com.sun.xacml</module>
<module>../com.sun.xacml.support</module>
<module>../eu.aniketos.securebpmn.xacml.api</module>
<module>../eu.aniketos.securebpmn.xacml.support</module>
</modules>
<build>
<plugins>

50
src/eu.aniketos.securebpmn.xacml.support/pom.xml Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v 4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>eu.aniketos.securebpmn.xacml</groupId>
<artifactId>eu.aniketos.securebpmn.xacml.parent</artifactId>
<version>1.0</version>
<relativePath>../eu.aniketos.securebpmn.xacml.parent/pom.xml</relativePath>
</parent>
<artifactId>eu.aniketos.securebpmn.xacml.support</artifactId>
<packaging>jar</packaging>
<name>SecureBPMN XACML - Support</name>
<url>http://maven.apache.org</url>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.0.2</version>
<configuration>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>eu.aniketos.securebpmn.xacml</groupId>
<artifactId>com.sun.xacml</artifactId>
<version>0.1</version>
</dependency>
<dependency>
<groupId>eu.aniketos.securebpmn.xacml</groupId>
<artifactId>com.sun.xacml.support</artifactId>
<version>0.1</version>
</dependency>
<dependency>
<groupId>eu.aniketos.securebpmn.xacml</groupId>
<artifactId>eu.aniketos.securebpmn.xacml.api</artifactId>
<version>0.1</version>
</dependency>
</dependencies>
</project>

80
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/AttributeResolver.java Normal file
View File

@ -0,0 +1,80 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support;
import java.net.URI;
import java.util.HashSet;
import java.util.Set;
import org.apache.log4j.Logger;
import eu.aniketos.securebpmn.xacml.support.finder.IPDPStateEvaluationContext;
import com.sun.xacml.Constants;
import com.sun.xacml.EvaluationCtx;
import com.sun.xacml.attr.AttributeValue;
import com.sun.xacml.attr.BagAttribute;
import com.sun.xacml.attr.IntegerAttribute;
import com.sun.xacml.attr.StringAttribute;
import com.sun.xacml.attr.TypeIdentifierConstants;
import com.sun.xacml.cond.EvaluationResult;
public class AttributeResolver {
private static final Logger logger = Logger.getLogger(AttributeResolver.class);
public static long getPDPStatePolicyVersion(EvaluationCtx ctx) {
EvaluationResult evalResult = ctx.getAttribute(IPDPStateEvaluationContext.PDPSTATE_CATEGORY,
IPDPStateEvaluationContext.PDPSTATE_ATTRIBUTETYPE,
IPDPStateEvaluationContext.PDPSTATE_URI,
IPDPStateEvaluationContext.PDPSTATE_ISSUER);
if ( ((BagAttribute) evalResult.getAttributeValue()).size() > 1 ) {
logger.error("Did not retreive a bag with one (" +((BagAttribute) evalResult.getAttributeValue()).size() +
") entry after attribute search for current svn policy version number; " +
"PDP Dtate requires exactly one attribute to be defined");
return -1;
} else if ( ((BagAttribute) evalResult.getAttributeValue()).size() == 1 ) {
IntegerAttribute attrVal = (IntegerAttribute) ((BagAttribute) evalResult.getAttributeValue()).iterator().next();
if ( logger.isDebugEnabled() && ctx instanceof EvaluationIdContext)
logger.debug("Request " + ((EvaluationIdContext) ctx).getCurrentEvaluationId() + " is executed under policy " + attrVal.getValue());
return attrVal.getValue();
} else {
logger.debug("Could not resolve current policy version");
return -1;
}
}
public static final URI ACTIVEPOLICY_CATEGORY = Constants.ENVIRONMENT_CAT;
public static final URI ACTIVEPOLICY_ATTRIBUTETYPE = TypeIdentifierConstants.STRING_URI;
public static final String ACTIVEPOLICY = "urn:activePolicies";
public static final URI ACTIVEPOLICY_URI = URI.create(ACTIVEPOLICY);
public static final URI ACTIVEPOLICY_ISSUER = null;
public static Set<String> getActivePolicies(EvaluationCtx ctx) {
EvaluationResult evalResult = ctx.getAttribute(ACTIVEPOLICY_CATEGORY,
ACTIVEPOLICY_ATTRIBUTETYPE,
ACTIVEPOLICY_URI,
ACTIVEPOLICY_ISSUER);
Set<String> policies = new HashSet<String>();
for (AttributeValue value : ((BagAttribute) evalResult.getAttributeValue()).iterable()) {
policies.add( ((StringAttribute)value).getValue());
}
return policies;
}
}

104
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/Category.java Normal file
View File

@ -0,0 +1,104 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support;
import java.net.URI;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import eu.aniketos.securebpmn.xacml.support.helper.*;
import com.sun.xacml.Constants;
import com.sun.xacml.ParsingException;
import com.sun.xacml.UnknownIdentifierException;
import com.sun.xacml.attr.AnyURIAttribute;
import com.sun.xacml.attr.StringAttribute;
import com.sun.xacml.ctx.Attribute;
import com.sun.xacml.ctx.RequestElement;
/**
*
* Describes the categories known by xacml as enum
*
*/
public enum Category implements IElementCreator {
SUBJECT (Constants.SUBJECT_CAT, Constants.SUBJECT_ID, StringAttribute.identifier, new DefaultElementCreator()),
RESOURCE (Constants.RESOURCE_CAT, Constants.RESOURCE_ID, AnyURIAttribute.identifier, new ResourceCreator()),
ACTION (Constants.ACTION_CAT, Constants.ACTION_ID, StringAttribute.identifier, new DefaultElementCreator()),
ENVIRONMENT (Constants.ENVIRONMENT_CAT, null, StringAttribute.identifier, new DefaultElementCreator());
private URI uri, defaultId, defaultType;
private ElementCreator creator;
private static Map<URI, Category> known_categories;
static {
known_categories = new HashMap<URI, Category>();
for ( Category cat : Category.values()) {
known_categories.put(cat.getURI(), cat);
}
}
Category(URI uri, URI defaultId, String defaultType, ElementCreator creator) {
this.uri = uri;
this.defaultId = defaultId;
this.defaultType = URI.create(defaultType);
this.creator = creator;
creator.setCategory(this);
}
public URI getURI() {
return uri;
}
public URI getDefaultId() {
return defaultId;
}
public URI getDefaultType() {
return defaultType;
}
public static Category getCategory(URI category) {
return known_categories.get(category);
}
public ElementCreator getElementCreator() {
return creator;
}
public Attribute getAttributeDefaultType(String value)
throws ParsingException {
return creator.getAttributeDefaultType(value);
}
public RequestElement getRequestElement(String value)
throws ParsingException {
return creator.getRequestElement(value);
}
public Attribute getAttribute(URI attributeId, URI dataType, String value)
throws ParsingException, UnknownIdentifierException {
return creator.getAttribute(attributeId, dataType, value);
}
public RequestElement getRequestElement(Set<Attribute> attrs) {
return creator.getRequestElement(attrs);
}
}

24
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/CtxInfoExtension.java Normal file
View File

@ -0,0 +1,24 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support;
import java.util.List;
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
public interface CtxInfoExtension {
List<AuthoAttribute> getCtxInformation();
}

42
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/EvaluationIdContext.java Normal file
View File

@ -0,0 +1,42 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support;
import eu.aniketos.securebpmn.xacml.support.finder.IEvaluationIdContext;
import com.sun.xacml.BasicEvaluationCtx;
import com.sun.xacml.ParsingException;
import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.finder.AttributeFinder;
import com.sun.xacml.finder.RevocationFinder;
public class EvaluationIdContext extends BasicEvaluationCtx implements IEvaluationIdContext {
//private static Logger logger = Logger.getLogger(EvaluationIdContext.class);
private Long evaluationId;
public EvaluationIdContext(RequestCtx request, AttributeFinder aFinder,
RevocationFinder rFinder, boolean cacheEnvValues, Long evaluationId) throws ParsingException {
super(request, aFinder, rFinder, cacheEnvValues);
this.evaluationId = evaluationId;
}
public Long getCurrentEvaluationId() {
return evaluationId;
}
}

45
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/RecordAttributeFinder.java Normal file
View File

@ -0,0 +1,45 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support;
import java.net.URI;
import org.apache.log4j.Logger;
import com.sun.xacml.EvaluationCtx;
import com.sun.xacml.cond.EvaluationResult;
import com.sun.xacml.finder.AttributeFinder;
public class RecordAttributeFinder extends AttributeFinder {
private static final Logger logger = Logger.getLogger(RecordEvaluationContext.class);
public RecordAttributeFinder(AttributeFinder attrFinder) {
super(attrFinder);
}
public EvaluationResult findAttribute(URI category, URI attributeType,
URI attributeId, URI issuer,
EvaluationCtx context) {
EvaluationResult evalResult = super.findAttribute(category, attributeType, attributeId, issuer, context);
if ( context instanceof RecordEvaluationContext ) {
((RecordEvaluationContext) context).retreiveDesignatorAttributeSearch(category, attributeType, attributeId, issuer, evalResult);
} else {
logger.warn("RecordAttributeFinder used without RecordEvaluationContext");
}
return evalResult;
}
}

141
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/RecordEvaluationContext.java Normal file
View File

@ -0,0 +1,141 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support;
import java.net.URI;
import java.util.Date;
import java.util.List;
import java.util.Vector;
import org.apache.log4j.Logger;
import com.sun.xacml.ParsingException;
import com.sun.xacml.attr.AttributeValue;
import com.sun.xacml.attr.BagAttribute;
import com.sun.xacml.cond.EvaluationResult;
import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.finder.AttributeFinder;
import com.sun.xacml.finder.RevocationFinder;
import eu.aniketos.securebpmn.xacml.api.autho.DesignatorAttribute;
import eu.aniketos.securebpmn.xacml.support.finder.IRecordEvaluationContext;
/**
*
* RecordEvaluationContext is able to retreive events of collected attributes at runtime and store them
*
*
*/
public class RecordEvaluationContext extends EvaluationIdContext implements IRecordEvaluationContext {
private static Logger logger = Logger.getLogger(RecordEvaluationContext.class);
/**
* contains all attributes which have been resolved at runtime
*/
private List<DesignatorAttribute> attrs;
/**
* defines the time when the policies have been resolved
*/
private Date execTime;
/**
* defines (if applicable) which policy version has been used
*/
private long version;
public RecordEvaluationContext(RequestCtx request, AttributeFinder aFinder,
RevocationFinder rFinder, Long evaluationId) throws ParsingException {
super(request, aFinder, rFinder, true, evaluationId);
this.execTime = new Date();
version = AttributeResolver.getPDPStatePolicyVersion(this);
}
// protected long getPDPStatePolicyVersion() {
// EvaluationResult evalResult = this.getAttribute(IPDPStateEvaluationContext.PDPSTATE_CATEGORY,
// IPDPStateEvaluationContext.PDPSTATE_ATTRIBUTETYPE,
// IPDPStateEvaluationContext.PDPSTATE_URI,
// IPDPStateEvaluationContext.PDPSTATE_ISSUER);
//
// if ( ((BagAttribute) evalResult.getAttributeValue()).size() > 1 ) {
// logger.error("Did not retreive a bag with one (" +((BagAttribute) evalResult.getAttributeValue()).size() +
// ") entry after attribute search for current svn policy version number; " +
// "PDP Dtate requires exactly one attribute to be defined");
// return -1;
// } else if ( ((BagAttribute) evalResult.getAttributeValue()).size() == 1 ) {
// IntegerAttribute attrVal = (IntegerAttribute) ((BagAttribute) evalResult.getAttributeValue()).iterator().next();
// logger.debug("Request " + super.getCurrentEvaluationId() + " will be executed under policy " + attrVal.getValue());
// return attrVal.getValue();
// } else {
// logger.debug("Could not resolve current policy version");
// return -1;
// }
// }
public void retreiveDesignatorAttributeSearch(URI category, URI attributeType,
URI attributeId, URI issuer, EvaluationResult evalResult) {
//TODO why not only store the stuff at runtime and do the transformation aftwards?
if ( ! (evalResult.getAttributeValue() instanceof BagAttribute) ) {
logger.warn("RecordEvaluationContext received a non-bag attribute");
} else {
BagAttribute bAttr = (BagAttribute) evalResult.getAttributeValue();
if ( attrs == null ) {
attrs = new Vector<DesignatorAttribute>();
}
if (bAttr.isEmpty()) {
attrs.add(new DesignatorAttribute(attributeId, attributeType, category));
if ( logger.isDebugEnabled() ) {
logger.debug("Result for attributeId " + attributeId + " of type " + attributeType +
", category " + category + " is empty");
}
} else {
DesignatorAttribute attr = new DesignatorAttribute(attributeId, attributeType, category);
for ( AttributeValue value : bAttr.iterable()) {
attr.addBagValue(value.encode());
}
attrs.add(attr);
if ( logger.isDebugEnabled() ) {
logger.debug("Added designatorAttr (" + attributeId + " of type " + attributeType +
", category " + category +") with " + attr.getBagValues().size() + " values added to EvaluationContext");
}
}
}
}
/**
*
* @return the list of collected designators or null, if non have been collected
*/
public List<DesignatorAttribute> getDesignatorAttributes() {
return attrs;
}
public Date getExecTime() {
return execTime;
}
public long getVersion() {
return version;
}
}

86
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/XACML2APIMapper.java Normal file
View File

@ -0,0 +1,86 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support;
import java.util.Collection;
import java.util.List;
import java.util.Set;
import java.util.Vector;
import org.apache.log4j.Logger;
import eu.aniketos.securebpmn.xacml.api.ErrorType;
import eu.aniketos.securebpmn.xacml.api.ReasonType;
import eu.aniketos.securebpmn.xacml.api.SecurityError;
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
import eu.aniketos.securebpmn.xacml.api.autho.AuthoObligation;
import eu.aniketos.securebpmn.xacml.api.autho.AuthoResult;
import eu.aniketos.securebpmn.xacml.api.autho.Decision;
import com.sun.xacml.Obligation;
import com.sun.xacml.ctx.Attribute;
import com.sun.xacml.ctx.ResponseCtx;
import com.sun.xacml.ctx.Result;
public class XACML2APIMapper {
private static final Logger logger = Logger.getLogger(XACML2APIMapper.class);
public static AuthoResult getAuthoResult(ResponseCtx resCtx) throws SecurityError {
AuthoResult authoResult = new AuthoResult();
if (resCtx.getResults().size() != 1 ) {
logger.error("Received unexpected number of results: " + resCtx.getResults().size());
throw new SecurityError(ErrorType.CONFIGURATION_ERROR, ReasonType.PDE_ENGINE_ERROR, "Received unexpected number of results");
}
Result xacmlResult = resCtx.getResults().iterator().next();
authoResult.setDecision(Decision.getFromInt(xacmlResult.getDecision()));
authoResult.setObligations(transformObligations(xacmlResult.getObligations()));
authoResult.setStatusCode(xacmlResult.getStatus().getCode());
authoResult.setStatusMessage(xacmlResult.getStatus().getMessage());
// TODO get missing attributes
return authoResult;
}
public static List<AuthoObligation> transformObligations(Set<Obligation> xacmlOblgs) {
if ( xacmlOblgs != null && xacmlOblgs.size() > 0 ) {
List<AuthoObligation> oblgs = new Vector<AuthoObligation>();
for ( Obligation xacmlOblg : xacmlOblgs ) {
AuthoObligation oblg = new AuthoObligation(xacmlOblg.getId());
if ( xacmlOblg.getAssignments() != null && xacmlOblg.getAssignments().size() > 0 ) {
Collection<AuthoAttribute> attrs = new Vector<AuthoAttribute>(xacmlOblg.getAssignments().size());
for ( Attribute xacmlAttr : xacmlOblg.getAssignments()) {
attrs.add(new AuthoAttribute(AuthoAttribute.OBLIGATION_CATEGORY,
xacmlAttr.getId(), xacmlAttr.getValue().getType(), xacmlAttr.getValue().encode()));
}
oblg.setParameters(attrs);
}
oblgs.add(oblg);
}
return oblgs;
} else {
return null;
}
}
}

168
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/XACMLDecoder.java Normal file
View File

@ -0,0 +1,168 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support;
import java.io.ByteArrayInputStream;
import java.net.URI;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.log4j.Logger;
import eu.aniketos.securebpmn.xacml.api.SecurityError;
import eu.aniketos.securebpmn.xacml.api.ErrorType;
import eu.aniketos.securebpmn.xacml.api.ReasonType;
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
import eu.aniketos.securebpmn.xacml.support.helper.ResourceCreator;
import com.sun.xacml.ParsingException;
import com.sun.xacml.UnknownIdentifierException;
import com.sun.xacml.ctx.Attribute;
import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.ctx.RequestElement;
import com.sun.xacml.ctx.ResponseCtx;
/**
* Helper class, decoding XML strings to XACML Objects
*
*/
public class XACMLDecoder {
private static Logger logger = Logger.getLogger(XACMLDecoder.class);
public static RequestCtx decodeRequestCtx(String request) throws SecurityError {
RequestCtx requ;
try {
requ = RequestCtx.getInstance(new ByteArrayInputStream(request.getBytes()));
} catch (ParsingException e) {
logger.error("ParsingException during parsing xacmlRequest", e);
throw new SecurityError(ErrorType.AUTHORIZATION_FAILED, ReasonType.INVALID_XACML, "ParsingError: " + e.getMessage());
}
return requ;
}
public static ResponseCtx decodeResponseCtx(String reponse) throws SecurityError {
ResponseCtx resp;
try {
resp = ResponseCtx.getInstance(new ByteArrayInputStream(reponse.getBytes()));
} catch (ParsingException e) {
logger.error("ParsingException during parsing xacmlRequest", e);
throw new SecurityError(ErrorType.AUTHORIZATION_FAILED, ReasonType.INVALID_XACML, "ParsingError: " + e.getMessage());
}
return resp;
}
public static RequestCtx decodeRequestCtx(IdInfo authinfo, URI resource,
String action) throws SecurityError {
Set<RequestElement> requElems = new HashSet<RequestElement>();
try {
requElems.add(Category.SUBJECT.getRequestElement(authinfo.getUserId()));
} catch (ParsingException e) {
logger.error("Could not create subject element from subject " + authinfo.getUserId() + ": ParsingException: " + e.getMessage(), e);
}
requElems.add(( (ResourceCreator) Category.RESOURCE.getElementCreator()).getRequestElement(resource));
if ( action != null ) {
try {
requElems.add(Category.ACTION.getRequestElement(action));
} catch (ParsingException e) {
logger.error("Could not create action element from action " + action + ": ParsingException: " + e.getMessage(), e);
}
}
return new RequestCtx(requElems, null, null);
}
public static RequestCtx decodeRequestCtx(IdInfo idInfo, URI resource,
String action, List<AuthoAttribute> attributes) throws SecurityError {
//"cheap" creation if no attributes are present
if ( attributes == null || attributes.size() == 0 ) {
return decodeRequestCtx(idInfo, resource, action);
} else {
Map<Category, Set<Attribute>> attrsPerCat = new HashMap<Category, Set<Attribute>>();
Set<Attribute> subjects = new HashSet<Attribute>();
try {
Attribute subjectId = Category.SUBJECT.getAttributeDefaultType(idInfo.getUserId());
subjects.add(subjectId);
} catch (ParsingException e) {
logger.error("Could not create subject element from subject " + idInfo.getUserId() + ": ParsingException: " + e.getMessage(), e);
}
attrsPerCat.put(Category.SUBJECT, subjects);
//RESOURCE as URI
Set<Attribute> resources = new HashSet<Attribute>();
resources.add( ( (ResourceCreator) Category.RESOURCE.getElementCreator()).getAttributeDefaultType(resource));
attrsPerCat.put(Category.RESOURCE, resources);
//ACTION if != NULL
if (action != null ) {
Set<Attribute> actions = new HashSet<Attribute>();
try {
actions.add(Category.ACTION.getAttributeDefaultType(action));
} catch (ParsingException e) {
// TODO log
e.printStackTrace();
}
attrsPerCat.put(Category.ACTION, actions);
}
for (AuthoAttribute attr : attributes) {
AttributeIdentifier attrId = attr.getAttributeIdentifier();
Category cat = Category.getCategory(attrId.getCategory());
Set<Attribute> attrs;
if ( attrsPerCat.containsKey(cat) ) {
attrs = attrsPerCat.get(cat);
} else {
attrs = new HashSet<Attribute>();
attrsPerCat.put(cat, attrs);
}
try {
attrs.add(cat.getAttribute(attrId.getAttributeId(), attrId.getAttributeType(), attr.getValue()));
} catch (ParsingException e) {
// TODO log
e.printStackTrace();
} catch (UnknownIdentifierException e) {
// TODO log
e.printStackTrace();
}
}
Set<RequestElement> requElems = new HashSet<RequestElement>();
for (Category cat : attrsPerCat.keySet()) {
requElems.add(cat.getRequestElement(attrsPerCat.get(cat)));
}
return new RequestCtx(requElems, null, null);
}
}
}

86
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/XACMLEncoder.java Normal file
View File

@ -0,0 +1,86 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support;
import java.io.BufferedOutputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import org.apache.log4j.Logger;
import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.ctx.ResponseCtx;
/**
* Helper class, encoding XACML Objects to its XML representation
*
*
*/
public class XACMLEncoder {
public static final String ERROR_EVALUATING_REQUEST = "todo";
private static Logger logger = Logger.getLogger(XACMLEncoder.class);
/**
* Helper function, encodes a com.sun.xacml.ctx.ResponseCtx to a String, containing a XML representation
* @param response
* @return XML representation of response
*/
public static String encodeResponseCtx(ResponseCtx response) {
ByteArrayOutputStream bAOut = new ByteArrayOutputStream();
BufferedOutputStream bOut = new BufferedOutputStream(bAOut);
try {
response.encode(bAOut, null);
bOut.flush();
} catch (UnsupportedEncodingException e) {
logger.error("Unexpected UnsupportedEncodingException during encoding ResponseCtx to String:" + e.getMessage(), e );
return ERROR_EVALUATING_REQUEST;
} catch (IOException e) {
logger.error("Unexpected IOException during encoding ResponseCtx to String:" + e.getMessage(), e );
return ERROR_EVALUATING_REQUEST;
}
return bAOut.toString();
}
/**
* Helper function, encodes a com.sun.xacml.ctx.RequestCtx to a String, containing a XML representation
* @param request
* @return XML representation of request
*/
public static String encodeRequestCtx(RequestCtx request) {
ByteArrayOutputStream bAOut = new ByteArrayOutputStream();
BufferedOutputStream bOut = new BufferedOutputStream(bAOut);
try {
request.encode(bAOut, null);
bOut.flush();
} catch (UnsupportedEncodingException e) {
logger.error("Unexpected UnsupportedEncodingException during encoding ResponseCtx to String:" + e.getMessage(), e );
return ERROR_EVALUATING_REQUEST;
} catch (IOException e) {
logger.error("Unexpected IOException during encoding ResponseCtx to String:" + e.getMessage(), e );
return ERROR_EVALUATING_REQUEST;
}
return bAOut.toString();
}
}

113
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/attr/EvaluationIdAttribute.java Normal file
View File

@ -0,0 +1,113 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.attr;
import java.net.URI;
import org.apache.log4j.Logger;
import org.w3c.dom.Node;
import eu.aniketos.securebpmn.xacml.support.finder.IEvaluationIdContext;
import com.sun.xacml.EvaluationCtx;
import com.sun.xacml.ParsingException;
import com.sun.xacml.attr.AttributeValue;
import com.sun.xacml.cond.EvaluationResult;
/**
*
* This attribute represents an urn:type:evaluationId which has to be evaluated at runtime by the xacml engine.
* Within the evaluation, the evaluation ID is read from the evaluation context and stored within the attribute.
*
*/
public class EvaluationIdAttribute extends AttributeValue {
public static final String identifier = "urn:type:evaluationId";
public static final URI identifierURI = URI.create(identifier);
public static final Long INVALID = new Long(-1);
private static Logger logger = Logger.getLogger(EvaluationIdAttribute.class);
public static final String RUNTIME = "RUNTIME";
private Long value;
public EvaluationIdAttribute(Long value) {
super(identifierURI);
this.value = value;
}
protected EvaluationIdAttribute(URI type) {
super(type);
}
@Override
public EvaluationResult evaluate(EvaluationCtx context) {
if ( value == null || value.longValue() == -1 ) {
if ( context instanceof IEvaluationIdContext ) {
//retreive evaluationID from current context
value = ((IEvaluationIdContext) context).getCurrentEvaluationId();
} else {
logger.warn("Received non-IEvaluationIdContext: Could not determine evaluation ID");
value = new Long(-1);
}
}
return new EvaluationResult(this);
}
public static EvaluationIdAttribute getInstance(String value) {
if ( value == null || RUNTIME.equals(value) ) {
return new EvaluationIdAttribute(new Long(-1));
} else {
try {
long newValue = Long.parseLong(value);
return new EvaluationIdAttribute(newValue);
} catch (NumberFormatException e) {
logger.warn("Could not transfer evaluationID \"" + value + "\" to long value: " + e.getMessage());
return new EvaluationIdAttribute(new Long(-1));
}
}
}
public static EvaluationIdAttribute getInstance(Node root) throws ParsingException {
if (root.getFirstChild() != null) {
return getInstance(root.getFirstChild().getNodeValue());
} else {
return new EvaluationIdAttribute(new Long(-1));
}
}
@Override
public String encode() {
return value.toString();
}
@Override
public boolean isDynamic() {
return true;
}
public Long getEvaluationId() {
return value;
}
}

44
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/attr/proxy/EvaluationIdAttributeProxy.java Normal file
View File

@ -0,0 +1,44 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.attr.proxy;
import org.w3c.dom.Node;
import eu.aniketos.securebpmn.xacml.support.attr.EvaluationIdAttribute;
import com.sun.xacml.ConfigurationStore;
import com.sun.xacml.attr.AttributeProxy;
import com.sun.xacml.attr.AttributeValue;
public class EvaluationIdAttributeProxy implements AttributeProxy {
//private static Logger logger = Logger.getLogger(EvaluationIdAttributeProxy.class);
public AttributeValue getInstance(Node root) throws Exception {
return EvaluationIdAttribute.getInstance(root);
}
public AttributeValue getInstance(String value) throws Exception {
return EvaluationIdAttribute.getInstance(value);
}
public EvaluationIdAttributeProxy() {
}
public void setConfigurationStore(ConfigurationStore confStore) {
}
}

297
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/comb/LatticeCombiningAlgorithm.java Normal file
View File

@ -0,0 +1,297 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.comb;
import java.net.URI;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.log4j.Logger;
import eu.aniketos.securebpmn.xacml.support.AttributeResolver;
import com.sun.xacml.AbstractPolicy;
import com.sun.xacml.EvaluationCtx;
import com.sun.xacml.MatchResult;
import com.sun.xacml.Obligation;
import com.sun.xacml.PolicyTreeElement;
import com.sun.xacml.attr.StringAttribute;
import com.sun.xacml.combine.CombinerElement;
import com.sun.xacml.combine.CombinerParameter;
import com.sun.xacml.combine.PolicyCombiningAlgorithm;
import com.sun.xacml.ctx.Result;
public class LatticeCombiningAlgorithm extends PolicyCombiningAlgorithm {
public static final String algId =
"urn:policy-combining-algorithm:policy-lattice";
private static URI identifierURI = URI.create(algId);
private static final String LATTICE_IDENTIFIER = "urn:policyLattice:latticeIdentifier";
private static Logger logger = Logger.getLogger(LatticeCombiningAlgorithm.class);
private Map<String, Map<Long, PolicyLattice>> latticeCache = new HashMap<String, Map<Long, PolicyLattice>>();
public LatticeCombiningAlgorithm() {
super(identifierURI);
}
@Override
public Result combine(EvaluationCtx evalCtx, List<CombinerParameter> combParam,
List<CombinerElement> combElem) {
// store the first deny we get, we will return it in case we do not find a permit
Result firstDeny = null;
// store the first indeterminate
Result firstIndeterminate = null;
// create a cache where all permits are stored;
// we may need the result itself to get the obligations
Map<String, Result> permitCache = new HashMap<String, Result>();
// create a cache where the results of all deny policies are stored
// deny policies could be executed several time, i.e.,
// remember both the result and if we executed it
Map<String, Result> denyCache = new HashMap<String, Result>();
// get the active policies from the context once
Set<String> activePolicies = getActivePolicies(evalCtx);
// create (or get from cache) the policy lattice we want to evaluate
PolicyLattice lattice = getLattice(evalCtx, combParam, combElem);
// iterate over the lattice (i.e., level per level)
for ( LatticeElem elem : lattice ) {
// check if current element is an active policy
if ( isActive(elem, lattice, activePolicies) ) {
boolean permitted = false, denied = false;
// store a permit if we find it in this policy
Result permit = null;
// first, check for an inherited permit, then for a permit
LatticeElem inhPermit = getInheritedPermit(elem, permitCache);
if ( inhPermit != null ) {
permitted = true;
} else if (elem.getPermitPolicy() != null ) {
// no inherited permit, we have to evaluate the current permit policy
Result res = evaluate(elem.getPermitPolicy(), evalCtx);
if ( res.getDecision() == Result.DECISION_INDETERMINATE ) {
if ( firstIndeterminate == null ) {
firstIndeterminate = res;
}
continue; // this policy will not provide a result, go to next
} else if ( res.getDecision() == Result.DECISION_PERMIT ) {
// we found a permit, store it to cache (in the current policy it may be overwritten by a deny)
permitCache.put(elem.getIdentifier(), res);
permit = res;
permitted = true;
} else if ( res.getDecision() == Result.DECISION_DENY && firstDeny == null) {
firstDeny = res;
continue; // we do not need to evaluate the deny policies if we do not have a permit
}
}
if ( permitted ) {
// check if there is an inherited deny: iterate over all extending policies, i.e, downwards
for ( LatticeElem extending : elem.downwards() ) {
// check if extending policy has a deny policy defined
if ( extending.getDenyPolicy() != null ) {
Result res;
// check if we already evaluated this policy
if ( denyCache.containsKey(extending.getIdentifier()) ) {
res = denyCache.get(extending.getIdentifier());
} else {
// else, evaluate it and store it into the cache
res = evaluate(extending.getDenyPolicy(), evalCtx);
denyCache.put(extending.getIdentifier(), res);
}
// check if the current deny policy denies this request
if ( res.getDecision() == Result.DECISION_INDETERMINATE ) {
if ( firstIndeterminate == null ) {
firstIndeterminate = res;
}
} else if ( res.getDecision() == Result.DECISION_DENY ) {
denied = true;
if ( firstDeny == null ) {
firstDeny = res;
}
break; // we have found a deny, do not need to look further
}
}
}
// we end up here only if we found a permit, check if we also found a deny
if ( ! denied) {
// if we did not find a permit for this policy
if ( permit == null ) {
// we got an inherited permit: we have to remove the lattice obligations
// from this permit and attach the lattice obligations of the current policy
permit = permitCache.get(inhPermit.getIdentifier());
AbstractPolicy curPolicy = (AbstractPolicy) elem.getPermitPolicy();
AbstractPolicy inhPolicy = (AbstractPolicy) inhPermit.getPermitPolicy();
Set<Obligation> obligations = permit.getObligations();
// remove obligations defined by inhPolicy
for ( Obligation oblgRm : inhPolicy.getObligations() ) {
for ( Obligation oblg : obligations ) {
if ( oblg.getId().equals(oblgRm) ) {
obligations.remove(oblg);
break;
}
}
}
// add obligations from current policy
for ( Obligation oblg : curPolicy.getObligations() ) {
obligations.add(oblg.evaluate(evalCtx));
}
permit = new Result(permit.getDecision(), evalCtx, obligations);
}
return permit;
}
}
}
}
if ( firstIndeterminate != null ) {
return firstIndeterminate;
} else if ( firstDeny != null ) {
return firstDeny;
} else {
return new Result(Result.DECISION_DENY, evalCtx);
}
}
private Result evaluate(PolicyTreeElement policy, EvaluationCtx evalCtx) {
evalCtx.newEvent(policy);
MatchResult match = policy.match(evalCtx);
Result res = null;
if (match.getResult() == MatchResult.INDETERMINATE) {
res = new Result(Result.DECISION_INDETERMINATE, evalCtx);
} else if (match.getResult() == MatchResult.NO_MATCH) {
res = new Result(Result.DECISION_NOT_APPLICABLE, evalCtx);
} else if (match.getResult() == MatchResult.MATCH) {
res = policy.evaluate(evalCtx);
}
evalCtx.closeCurrentEvent(res);
return res;
}
private boolean isActive(LatticeElem elem, PolicyLattice lattice, Set<String> activePolicies) {
if ( activePolicies.contains(elem.getIdentifier())) {
return true;
} else {
for ( LatticeElem extending : elem.downwards() ) {
if ( activePolicies.contains(extending.getIdentifier())) {
return true;
}
}
}
return false;
}
private LatticeElem getInheritedPermit(LatticeElem elem, Map<String, Result> permitCache) {
for ( LatticeElem extended : elem.upwards() ) {
if ( permitCache.containsKey(extended)) {
return extended;
}
}
return null;
}
private PolicyLattice getLattice(EvaluationCtx evalCtx, List<CombinerParameter> combParam,
List<CombinerElement> combElem) {
String latticeId = getLatticeIdentifier(combParam);
PolicyLattice lattice = null;
if ( latticeId != null) {
Map<Long, PolicyLattice> latticeVerCache = null;
if ( latticeCache.containsKey(latticeId) ) {
latticeVerCache = latticeCache.get(latticeId);
} else {
latticeVerCache = new HashMap<Long, PolicyLattice>();
latticeCache.put(latticeId, latticeVerCache);
}
Long policyVers = getPolicyVersion(evalCtx);
if ( latticeVerCache.containsKey(policyVers)) {
return latticeVerCache.get(policyVers);
} else {
lattice = new PolicyLattice(latticeId, combElem);
latticeVerCache.put(policyVers, lattice);
return lattice;
}
} else {
return new PolicyLattice(null, combElem);
}
// if ( latticeCache.containsKey(policyVers) &&
// latticeCache.get(policyVers).containsKey(latticeId) ) {
// lattice = latticeCache.get(policyVers).get(latticeId);
// } else {
// Map<String, PolicyLattice> latticeVerCache = null;
// if ( latticeCache.containsKey(policyVers) ) {
// latticeVerCache = latticeCache.get(policyVers);
// } else {
// latticeVerCache = new HashMap<String, PolicyLattice>();
// latticeCache.put(policyVers, latticeVerCache);
// }
// lattice = new PolicyLattice(latticeId, combElem);
// latticeVerCache.put(latticeId, lattice);
// }
// return lattice;
}
private String getLatticeIdentifier(List<CombinerParameter> combParam) {
if ( combParam != null && combParam.size() > 0 ) {
for ( CombinerParameter param : combParam ) {
if ( LATTICE_IDENTIFIER.equals(param.getName()) ) {
if ( param.getValue() instanceof StringAttribute ) {
return ((StringAttribute)param.getValue()).getValue();
} else {
logger.warn("Found " + LATTICE_IDENTIFIER + " which is not of type string (" + param.getValue().encode() + ")");
}
}
}
}
logger.warn("Did not find a " + LATTICE_IDENTIFIER + " for evaluating the LatticeCombiningAlgorithm " +
(getRuntimeInfo() == null ? "" : getRuntimeInfo().getLocationMsgRuntime()));
return null;
}
private Long getPolicyVersion(EvaluationCtx evalCtx) {
return new Long(AttributeResolver.getPDPStatePolicyVersion(evalCtx));
}
private Set<String> getActivePolicies(EvaluationCtx evalCtx) {
return AttributeResolver.getActivePolicies(evalCtx);
}
}

223
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/comb/LatticeElem.java Normal file
View File

@ -0,0 +1,223 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.comb;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import org.apache.log4j.Logger;
import eu.aniketos.securebpmn.xacml.support.comb.PolicyLatticeIterator.MODE;
import com.sun.xacml.PolicyTreeElement;
import com.sun.xacml.attr.AttributeValue;
import com.sun.xacml.attr.StringAttribute;
import com.sun.xacml.combine.CombinerElement;
import com.sun.xacml.combine.CombinerParameter;
public class LatticeElem {
private int level = 0;
private String identifier;
/**
* policy IDs this policy extends, defined as combiner parameter
*/
private List<String> extendedPolicyIds;
/**
* policies which are extended by this policy (i.e., upwards)
*/
private List<LatticeElem> extendedPolicies;
/**
* policies extending this policy (i.e, downwards)
*/
private List<LatticeElem> extendingPolicies;
private PolicyTreeElement permitPolicy, denyPolicy;
private static final String
POLICY_IDENDIFIER = "urn:policyLattice:identifier",
POLICY_TYPE = "urn:policyLattice:type",
EXTENDS_POLICY = "urn:policyLattice:extends";
private static final Logger logger = Logger.getLogger(LatticeElem.class);
public static LatticeElem addLatticeElem(CombinerElement combElem,
Map<String, LatticeElem> elems) {
// if ( ! (combElem.getElement() instanceof AbstractPolicy) ) {
// logger.warn("LatticeElement has to be an instance of AbstractPolicy (got " + combElem.getElement().getClass().toString() + ")");
// return null;
// }
//
// AbstractPolicy policy = (AbstractPolicy) combElem.getElement();
// read parameters for policy
List<CombinerParameter> params = combElem.getParameters();
//List<CombinerParameter> params = policy.getCombiningParameters();
String identifier = null, type = null;
List<String> extendedPolicies = null;
if ( params != null && params.size() > 0 ) {
for ( CombinerParameter param : params ) {
String name = param.getName();
if ( POLICY_IDENDIFIER.equals(name) ) {
identifier = getString(name, param.getValue());
} else if ( POLICY_TYPE.equals(name) ) {
type = getString(name, param.getValue());
} else if ( EXTENDS_POLICY.equals(name)) {
if ( extendedPolicies == null ) {
extendedPolicies = new ArrayList<String>();
}
extendedPolicies.add(getString(name, param.getValue()));
} else {
logger.warn("Unknown parameter " + name);
}
}
} else {
logger.warn("No CombinerParamters defined for " + combElem.getElement().getId());
}
if ( identifier == null ) {
logger.warn("Cannot read policy " + combElem.getElement().getId() + " without defining " + POLICY_IDENDIFIER + " as combiner parameter");
return null;
} else {
LatticeElem elem;
if ( elems.containsKey(identifier)) {
elem = elems.get(identifier);
} else {
elem = new LatticeElem(identifier);
elems.put(identifier, elem);
}
if ( extendedPolicies != null ) {
if ( elem.extendedPolicyIds != null ) {
logger.warn("For policy with ID " + identifier + " there are already extending policies defined");
} else {
elem.extendedPolicyIds = extendedPolicies;
}
}
if ( type != null ) {
if ( "permit".equals(type.toLowerCase()) ) {
if ( elem.permitPolicy != null ) {
logger.warn("Overwriting permit policy for ID " + identifier);
}
elem.permitPolicy = combElem.getElement();
} else if ( "deny".equals(type.toLowerCase()) ) {
if ( elem.denyPolicy != null ) {
logger.warn("Overwriting deny policy for ID " + identifier);
}
}
} else {
// assume default value
if ( elem.permitPolicy != null ) {
logger.warn("Overwriting permit policy for ID " + identifier);
}
elem.permitPolicy = combElem.getElement();
}
return elem;
}
}
private LatticeElem(String identifer) {
this.identifier = identifer;
}
private static String getString(String name, AttributeValue value ) {
if ( value instanceof StringAttribute ) {
return ((StringAttribute) value).getValue();
} else {
logger.warn("Attribute " + name + " was not an String Attribute");
return null;
}
}
public int getLevel() {
return level;
}
public void setLevel(int level) {
this.level = Math.max(this.level, level);
}
public void resetLeve(int level) {
this.level = level;
}
public PolicyTreeElement getPermitPolicy() {
return permitPolicy;
}
public void setPermitPolicy(PolicyTreeElement permitPolicy) {
this.permitPolicy = permitPolicy;
}
public PolicyTreeElement getDenyPolicy() {
return denyPolicy;
}
public void setDenyPolicy(PolicyTreeElement denyPolicy) {
this.denyPolicy = denyPolicy;
}
public String getIdentifier() {
return identifier;
}
public List<String> getExtendedPolicyIds() {
return extendedPolicyIds;
}
public void addExtendingPolicy(LatticeElem elem) {
if ( this.extendingPolicies == null) {
this.extendingPolicies = new ArrayList<LatticeElem>();
}
this.extendingPolicies.add(elem);
}
public List<LatticeElem> getExtendingPolicies() {
return this.extendingPolicies;
}
public void resolveExtendedPolicies(Map<String, LatticeElem> policies) {
if ( this.extendedPolicyIds != null &&
this.extendedPolicies.size() > 0 ) {
this.extendingPolicies = new ArrayList<LatticeElem>();
for ( String elemId : extendedPolicyIds) {
if ( policies.containsKey(elemId)) {
extendedPolicies.add(policies.get(elemId));
} else {
logger.warn("Could not find a policy with ID " + elemId + " to resolve extended policies of policy " + identifier);
}
}
}
}
public List<LatticeElem> getExtendedPolicies() {
return this.extendedPolicies;
}
public Iterable<LatticeElem> downwards() {
return new PolicyLatticeIterator(this, MODE.DOWNWARDS);
}
public Iterable<LatticeElem> upwards() {
return new PolicyLatticeIterator(this, MODE.UPWARDS);
}
}

105
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/comb/PolicyLattice.java Normal file
View File

@ -0,0 +1,105 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.comb;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.log4j.Logger;
import eu.aniketos.securebpmn.xacml.support.comb.PolicyLatticeIterator.MODE;
import com.sun.xacml.combine.CombinerElement;
public class PolicyLattice implements Iterable<LatticeElem> {
private List<LatticeElem> level1;
private Map<String, LatticeElem> policies;
private static Logger logger = Logger.getLogger(PolicyLattice.class);
public PolicyLattice(String latticeIdentifier, List<CombinerElement> combElem) {
if ( logger.isDebugEnabled() ) {
logger.debug("Creating PolicyLattice "
+ (latticeIdentifier == null ? "without identifier" : latticeIdentifier) + " with "
+ combElem.size() + " elements");
}
policies = new HashMap<String, LatticeElem>();
level1 = new ArrayList<LatticeElem>();
// read all policies
for (int i = 0; i < combElem.size(); ++i ) {
LatticeElem elem = LatticeElem.addLatticeElem(combElem.get(i), policies);
if (logger.isDebugEnabled() && elem != null ) {
logger.debug("Read policy element with ID \"" + elem.getIdentifier()
+ "\" with " + (elem.getExtendedPolicyIds() == null ? 0 : elem.getExtendedPolicyIds().size()) + " extended policy definitions");
}
}
//
for ( LatticeElem elem : policies.values() ) {
elem.resolveExtendedPolicies(policies);
if ( elem.getExtendedPolicyIds() == null ||
elem.getExtendedPolicyIds().size() == 0 ) {
level1.add(elem);
logger.debug("Added " + elem.getIdentifier() + " as " + level1.size() + "th element as level 1 element");
} else {
for ( String extPol : elem.getExtendedPolicyIds()) {
if ( policies.containsKey(extPol) ) {
policies.get(extPol).addExtendingPolicy(elem);
} else {
logger.warn("Policy " + elem.getIdentifier() + " defined extension to " + extPol + ", but did not find policy");
}
}
}
// if ( policies.containsKey(elem.getExtendedPolicy() )) {
// policies.get(elem.getExtendedPolicy()).addChild(elem);
// logger.debug("Added policy " + elem.getIdentifier()
// + " as child to policy" + elem.getExtendedPolicy() );
// } else {
// logger.warn("Policy with id " + elem.getIdentifier() +
// " defines extending an unkown policy with id " + elem.getExtendedPolicy());
// }
}
for ( LatticeElem elem : level1 ) {
setPolicyLevel(elem, 1);
}
}
private void setPolicyLevel(LatticeElem elem, int level) {
elem.setLevel(level);
if ( elem.getExtendingPolicies() != null ) {
for ( LatticeElem refElem : elem.getExtendingPolicies() ) {
setPolicyLevel(refElem, level + 1);
}
}
}
public Iterator<LatticeElem> iterator() {
return new PolicyLatticeIterator(level1, MODE.DOWNWARDS);
}
}

95
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/comb/PolicyLatticeIterator.java Normal file
View File

@ -0,0 +1,95 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.comb;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Queue;
public class PolicyLatticeIterator implements Iterator<LatticeElem>, Iterable<LatticeElem> {
enum MODE {
UPWARDS, // iterates over all refining policies, i.e., policies with lower levels
DOWNWARDS // iterates over all extending policies, i.e., policies with higher levels
}
Queue<LatticeElem> todos;
MODE mode;
/**
*
* @param elements should be all on the same level
*/
PolicyLatticeIterator(List<LatticeElem> elements, MODE mode) {
this.mode = mode;
todos = new LinkedList<LatticeElem>();
for ( LatticeElem elem : elements) {
todos.add(elem);
}
}
PolicyLatticeIterator(LatticeElem element, MODE mode) {
this.mode = mode;
todos = new LinkedList<LatticeElem>();
todos.add(element);
}
public boolean hasNext() {
if ( todos.size() > 0 ) {
return true;
} else {
return false;
}
}
public LatticeElem next() {
LatticeElem next = todos.remove();
if ( mode == MODE.DOWNWARDS ) {
if ( next.getExtendingPolicies() != null ) {
for ( LatticeElem elem : next.getExtendingPolicies() ) {
// check if element to put on queue
if ( elem.getLevel() + 1 == next.getLevel() && // put on queue only if on next level
( elem.getExtendedPolicyIds().size() == 1 || // if referenced elem has only one refining (extends) relation
! todos.contains(elem) ) ) { // or, if it has several, check that it is not already on the queue
todos.add(elem);
}
}
}
} else if ( mode == MODE.UPWARDS ) {
if ( next.getExtendedPolicyIds() != null ) {
for ( LatticeElem elem : next.getExtendedPolicies() ) {
if ( elem.getLevel() -1 == next.getLevel() && // put on queue only if on next (upper) level
( elem.getExtendingPolicies().size() == 1 || // if referenced elem has only one extending (refines) relation
! todos.contains(elem))) { // or, if it has severl, that that it is not alrey on the queue
todos.add(elem);
}
}
}
}
return next;
}
public void remove() {
throw new RuntimeException("remove is not permitted by PolicyLatticeIterator");
}
public Iterator<LatticeElem> iterator() {
return this;
}
}

283
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/finder/FilePolicyModule.java Normal file
View File

@ -0,0 +1,283 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.finder;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.net.URI;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Vector;
import org.apache.log4j.Logger;
import com.sun.xacml.AbstractPolicy;
import com.sun.xacml.ConfigurationStore;
import com.sun.xacml.EvaluationCtx;
import com.sun.xacml.MatchResult;
import com.sun.xacml.ParsingException;
import com.sun.xacml.PolicyMetaData;
import com.sun.xacml.VersionConstraints;
import com.sun.xacml.ctx.Result;
import com.sun.xacml.ctx.Status;
import com.sun.xacml.finder.PolicyFinder;
import com.sun.xacml.finder.PolicyFinderModule;
import com.sun.xacml.finder.PolicyFinderResult;
import com.sun.xacml.support.finder.PolicyReader;
/**
*
* PolicyFinderModule which allows to load policies by filename and folder
* <br/>
* When searching for policies, only main (entry) policies are searched,
* i.e., only policies with an "main" at the end are loaded
*
*/
public class FilePolicyModule extends PolicyFinderModule {
private File schemaFile;
// the filenames for the files we'll load
private Set<String> fileNames;
private Set<String> folders;
private Map<URI, AbstractPolicy> policies;
private Map<URI, AbstractPolicy> mainPolicies;
private static final Logger logger = Logger.getLogger(FilePolicyModule.class);
// configuration: keep track of lines when loadig policies (slow! use only for debugging!)
protected boolean useLines = false, enf_useLines = false;
protected Map<String, String> confParams = new HashMap<String, String>();
protected static final String CONF_PREFIX = "conf:",
FOLDER_PREFIX = "folder:",
FILE_PREFIX = "file:",
CONF_USELINES = "useLines";
public FilePolicyModule() {
fileNames = new HashSet<String>();
folders = new HashSet<String>();
policies = new HashMap<URI, AbstractPolicy>();
mainPolicies = new HashMap<URI, AbstractPolicy>();
String schemaName =
System.getProperty(PolicyReader.POLICY_SCHEMA_PROPERTY);
if (schemaName != null) {
this.schemaFile = new File(schemaName);
}
}
public FilePolicyModule(List<String> fileNames) {
this();
if (fileNames != null) {
for ( String fileName : fileNames ) {
if ( fileName.startsWith(CONF_PREFIX) ) {
String tmp = fileName.substring(5);
try {
String confId = tmp.substring(0, tmp.indexOf(":"));
String value = tmp.substring(tmp.indexOf(":") + 1);
confParams.put(confId, value);
} catch(Exception e) {
logger.warn("Could not add configuration: " + tmp);
}
} else if ( fileName.startsWith(FOLDER_PREFIX)) {
this.folders.add(fileName.substring(7));
} else if ( fileName.startsWith(FILE_PREFIX) ) {
this.fileNames.add(fileName.substring(5));
} else {
this.fileNames.add(fileName);
}
}
}
if ( enf_useLines ) {
useLines = true;
} else if ( confParams.containsKey(CONF_USELINES)) {
useLines = getBool(confParams.get(CONF_USELINES));
}
}
@Override
public boolean isRequestSupported() {
return true;
}
@Override
public void init(PolicyFinder finder) {
Object o = finder.getPDPConfiguration().getCustomAttr(ConfigurationStore.BASEDIR);
String baseDir = "";
if ( o != null) {
baseDir = (String) o;
}
PolicyReader reader = new PolicyReader(finder,
java.util.logging.Logger.getLogger(FilePolicyModule.class.getName()),
this.schemaFile, this.useLines);
for (String fname : this.fileNames ) {
try {
AbstractPolicy policy =
reader.readPolicy(new FileInputStream(baseDir + fname), fname);
addPolicy(policy);
} catch (FileNotFoundException fnfe) {
logger.warn("File couldn't be read: "+ fname, fnfe);
} catch (ParsingException e) {
logger.warn("Error reading policy from file " + fname + ": " + e.getMessage(), e);
}
}
for ( String sFolder : this.folders ) {
File folder = new File(baseDir + sFolder);
File[] files = folder.listFiles();
for ( File f : files ) {
String name_lower = f.getName().toLowerCase();
if ( name_lower.endsWith(".xacml")) {
try {
AbstractPolicy policy = reader.readPolicy(new FileInputStream(f), f.getName());
addPolicy(policy);
} catch (FileNotFoundException e) {
logger.warn("File couldn't be read: "+ f.getName(), e);
} catch (ParsingException e) {
logger.warn("Error reading policy from file " + f.getName(), e);
}
}
}
}
logger.info("Loaded " + policies.size() + " policies, " + mainPolicies.size() + " main policies");
}
@Override
public PolicyFinderResult findPolicy(EvaluationCtx context) {
logger.debug("FilePolicyModule.findPolicy");
context.newEvent(this);
AbstractPolicy match = null;
for ( AbstractPolicy policy : this.mainPolicies.values() ) {
context.newEvent(policy);
logger.debug("Check match for Policy "+ policy.getId());
MatchResult mResult = policy.match(context);
int iResult = mResult.getResult();
if ( iResult == MatchResult.NO_MATCH ) {
context.closeCurrentEvent(new Result(Result.DECISION_NOT_APPLICABLE));
} else if ( iResult == MatchResult.MATCH ) {
context.closeCurrentEvent();
if ( match == null ) {
match = policy;
} else {
logger.error("Multiple main policies are matching: first: " + match.getId() + " - " + policy.getId());
List<String> statusCodes = new Vector<String>();
statusCodes.add(Status.STATUS_PROCESSING_ERROR);
Status errorStatus = new Status(statusCodes, "Error in PDP Configuration: Multiple matching main policies");
context.closeCurrentEvent(Result.INDETERMINATE);
return new PolicyFinderResult(errorStatus);
//throw new TopLevelPolicyException(mResult.getStatus(), "Multiple main policies are matching");
}
} else if ( iResult == MatchResult.INDETERMINATE ) {
context.closeCurrentEvent();
context.closeCurrentEvent(new Result(Result.DECISION_INDETERMINATE, context));
return new PolicyFinderResult(mResult.getStatus());
}
}
if (match == null) {
context.closeCurrentEvent();
logger.debug("Found no matching main policy");
return new PolicyFinderResult();
}
context.closeCurrentEvent(match.getId().toString());
logger.debug("Found one matching main policy: " + match.getId());
return new PolicyFinderResult(match);
// } catch (TopLevelPolicyException e) {
// logger.error("Could not find Policy (TopLevelPolicyException): " + e.getMessage());
// e.printStackTrace();
// context.closeCurrentEvent();
// return new PolicyFinderResult(e.getStatus());
// }
}
public boolean addPolicy(String filename) {
return this.fileNames.add(filename);
}
protected void addPolicy(AbstractPolicy policy) {
URI policyId = policy.getId();
this.policies.put(policyId,policy);
if ( policyId.toString().endsWith("main") ) {
this.mainPolicies.put(policyId, policy);
}
}
protected static boolean getBool(String value) {
try {
Boolean val = new Boolean(value);
return val.booleanValue();
} catch (Exception e) {
logger.warn( "Could not read boolean value " + value + "; Using false as default");
return false;
}
}
@Override
public boolean isIdReferenceSupported() {
return true;
}
@Override
public PolicyFinderResult findPolicy(EvaluationCtx context,
URI idReference, int type,
VersionConstraints constraints,
PolicyMetaData parentMetaData) {
if ( policies.containsKey(idReference)) {
AbstractPolicy policy = policies.get(idReference);
if ( constraints.meetsConstraint(policy.getVersion())) {
return new PolicyFinderResult(policy);
} else {
logger.warn("Found policy with right ID " + idReference + ", but version contraints do not match");
}
}
return new PolicyFinderResult();
}
/**
* this method can be used to enforce the usage of lines parsing
* programatically
* @param useLines
*/
public void enforceUseLines() {
this.enf_useLines = true;
this.useLines = true;
}
public void setConfigurationStore(ConfigurationStore confStore) {
// save confStore if needed
}
}

29
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/finder/FolderPolicyModule.java Normal file
View File

@ -0,0 +1,29 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.finder;
import com.sun.xacml.finder.PolicyFinder;
import com.sun.xacml.finder.PolicyFinderModule;
public class FolderPolicyModule extends PolicyFinderModule {
@Override
public void init(PolicyFinder arg0) {
// TODO Auto-generated method stub
}
}

20
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/finder/IEvaluationIdContext.java Normal file
View File

@ -0,0 +1,20 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.finder;
public interface IEvaluationIdContext {
Long getCurrentEvaluationId();
}

34
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/finder/IPDPStateEvaluationContext.java Normal file
View File

@ -0,0 +1,34 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.finder;
import java.net.URI;
import java.util.Date;
import com.sun.xacml.Constants;
import com.sun.xacml.attr.TypeIdentifierConstants;
public interface IPDPStateEvaluationContext {
public static final URI PDPSTATE_CATEGORY = Constants.ENVIRONMENT_CAT;
public static final URI PDPSTATE_ATTRIBUTETYPE = TypeIdentifierConstants.INTEGER_URI;
public static final String PDPSTATE = "urn:custom:svnPolicyVersion";
public static final URI PDPSTATE_URI = URI.create(PDPSTATE);
public static final URI PDPSTATE_ISSUER = null;
public Date getExecTime();
public long getVersion();
}

26
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/finder/IRecordEvaluationContext.java Normal file
View File

@ -0,0 +1,26 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.finder;
import java.net.URI;
import com.sun.xacml.cond.EvaluationResult;
public interface IRecordEvaluationContext extends IEvaluationIdContext, IPDPStateEvaluationContext {
void retreiveDesignatorAttributeSearch(URI category, URI attributeType,
URI attributeId, URI issuer, EvaluationResult evalResult);
}

62
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/helper/DefaultElementCreator.java Normal file
View File

@ -0,0 +1,62 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.helper;
import java.net.URI;
import eu.aniketos.securebpmn.xacml.support.Category;
public class DefaultElementCreator extends ElementCreator {
private Category category;
private URI categoryURI, defaultId, defaultType;
public DefaultElementCreator(Category category) {
setCategory(category);
}
public DefaultElementCreator() {
;
}
public void setCategory(Category category) {
this.category = category;
this.categoryURI = category.getURI();
this.defaultId = category.getDefaultId();
this.defaultType = category.getDefaultType();
}
@Override
protected URI getCategory() {
return categoryURI;
}
@Override
protected URI getDefaultType() {
return defaultType;
}
@Override
protected URI getDefaultId() {
return defaultId;
}
protected Category getCategoryObject() {
return this.category;
}
}

77
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/helper/ElementCreator.java Normal file
View File

@ -0,0 +1,77 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.helper;
import java.net.URI;
import java.util.HashSet;
import java.util.Set;
import org.apache.log4j.Logger;
import eu.aniketos.securebpmn.xacml.support.Category;
import com.sun.xacml.ParsingException;
import com.sun.xacml.UnknownIdentifierException;
import com.sun.xacml.attr.AttributeFactory;
import com.sun.xacml.ctx.Attribute;
import com.sun.xacml.ctx.RequestElement;
public abstract class ElementCreator implements IElementCreator {
private static Logger logger = Logger.getLogger(ElementCreator.class);
protected static AttributeFactory attrFactory = AttributeFactory.getInstance();
protected abstract URI getCategory();
protected abstract URI getDefaultId();
protected abstract URI getDefaultType();
public abstract void setCategory(Category category);
public RequestElement getRequestElement(String value) throws ParsingException {
Attribute attrs;
try {
attrs = new Attribute(getDefaultId(), null, attrFactory.createValue(getDefaultType(), value));
} catch (UnknownIdentifierException e) {
logger.error("Could not create attribute for category " + getCategory() + ", default type " + getDefaultType() + " and value " + value);
return null; //should not happen...
}
Set<Attribute> resourceSet = new HashSet<Attribute>();
resourceSet.add(attrs);
return new RequestElement(getCategory(), resourceSet);
}
public RequestElement getRequestElement(Set<Attribute> attrs) {
return new RequestElement(getCategory(), attrs);
}
public Attribute getAttribute(URI attributeId, URI dataType, String value) throws ParsingException, UnknownIdentifierException {
return new Attribute(attributeId != null ? attributeId : getDefaultId(),
null, attrFactory.createValue(dataType != null ? dataType : getDefaultType(), value));
}
public Attribute getAttributeDefaultType(String value) throws ParsingException {
try {
return new Attribute(getDefaultId(), null, attrFactory.createValue(getDefaultType(), value));
} catch (UnknownIdentifierException e) {
logger.error("Could not create attribute for category " + getCategory() + ", default type " + getDefaultType() + " and value " + value);
return null; //should not happen...
}
}
}

33
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/helper/IElementCreator.java Normal file
View File

@ -0,0 +1,33 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.helper;
import java.net.URI;
import java.util.Set;
import com.sun.xacml.ParsingException;
import com.sun.xacml.UnknownIdentifierException;
import com.sun.xacml.ctx.Attribute;
import com.sun.xacml.ctx.RequestElement;
public interface IElementCreator {
RequestElement getRequestElement(String value) throws ParsingException;
RequestElement getRequestElement(Set<Attribute> attrs);
Attribute getAttribute(URI attributeId, URI dataType, String value) throws ParsingException, UnknownIdentifierException;
Attribute getAttributeDefaultType(String value) throws ParsingException;
}

56
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/helper/LogPreparer.java Normal file
View File

@ -0,0 +1,56 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.helper;
import org.apache.log4j.Logger;
import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.ctx.ResponseCtx;
import eu.aniketos.securebpmn.xacml.api.log.AccessControlRequest;
import eu.aniketos.securebpmn.xacml.support.XACMLEncoder;
public class LogPreparer {
private static Logger logger = Logger.getLogger(LogPreparer.class);
public static void prepare(AccessControlRequest requ) {
RequestCtx requCtx = (RequestCtx) requ.getRequest();
ResponseCtx respCtx = (ResponseCtx) requ.getResponse();
if ( requ.getXacmlRequest() == null || requ.getXacmlResponse() == null) {
requ.setXacmlRequest(XACMLEncoder.encodeRequestCtx(requCtx));
requ.setXacmlResponse(XACMLEncoder.encodeResponseCtx(respCtx));
if ( ! (requ.getXacmlRequest() == null && requ.getXacmlResponse() == null)
|| requ.getResource() == null || requ.getResult() == null ) {
logInconsistant(requ);
}
}
if ( requ.getResource() == null || requ.getResult() == null ) {
//TODO read from requCtx
}
}
private static void logInconsistant(AccessControlRequest requ) {
logger.warn("Inconsistant AccessControlRequest: XacmlRequest" + requ.getXacmlRequest() +
", XacmlResponse: " + requ.getXacmlResponse() +
", Resource: " + requ.getResource() +
", Result: " + requ.getResult());
}
}

75
src/eu.aniketos.securebpmn.xacml.support/src/main/java/eu/aniketos/securebpmn/xacml/support/helper/ResourceCreator.java Normal file
View File

@ -0,0 +1,75 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support.helper;
import java.net.URI;
import java.util.HashSet;
import java.util.Set;
import eu.aniketos.securebpmn.xacml.support.Category;
import com.sun.xacml.Constants;
import com.sun.xacml.attr.AnyURIAttribute;
import com.sun.xacml.ctx.Attribute;
import com.sun.xacml.ctx.RequestElement;
/**
*
* Creates a RequestElement, containing a resource for evaluation by the XACML PDP
*
*
*/
public class ResourceCreator extends ElementCreator {
private static final URI resourceID_URI = Constants.RESOURCE_CAT; //Category.RESOURCE.getURI();
private static final URI defaultId = Constants.RESOURCE_ID; //Category.RESOURCE.getDefaultId();
private static final URI default_Type = URI.create(AnyURIAttribute.identifier); //Category.RESOURCE.getDefaultType();
@Override
protected URI getCategory() {
return resourceID_URI;
}
@Override
protected URI getDefaultType() {
return default_Type;
}
@Override
protected URI getDefaultId() {
return defaultId;
}
@Override
public void setCategory(Category category) {
if ( ! category.getURI().equals(resourceID_URI) ) {
throw new RuntimeException("It is not possbile to set the category of " + ResourceCreator.class + " afterwards");
}
}
public RequestElement getRequestElement(URI resource) {
Attribute resourceAttribute = new Attribute(defaultId, null, new AnyURIAttribute(resource));
Set<Attribute> resourceSet = new HashSet<Attribute>();
resourceSet.add(resourceAttribute);
return new RequestElement(resourceID_URI, resourceSet);
}
public Attribute getAttributeDefaultType(URI value) {
return new Attribute(getDefaultId(), null, new AnyURIAttribute(value));
}
}

53
src/eu.aniketos.securebpmn.xacml.support/src/test/java/eu/aniketos/securebpmn/xacml/support/AppTest.java Normal file
View File

@ -0,0 +1,53 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.support;
import junit.framework.Test;
import junit.framework.TestCase;
import junit.framework.TestSuite;
/**
* Unit test for simple App.
*/
public class AppTest
extends TestCase
{
/**
* Create the test case
*
* @param testName name of the test case
*/
public AppTest( String testName )
{
super( testName );
}
/**
* @return the suite of tests being tested
*/
public static Test suite()
{
return new TestSuite( AppTest.class );
}
/**
* Rigourous Test :-)
*/
public void testApp()
{
assertTrue( true );
}
}