GenericBreakGlass
/
GenericBreakGlass-XACML
Archived
2
0
Fork 0
Code Issues Pull Requests Releases Activity

Initial commit eu.aniketos.securebpmn.xacml.pdpstate.

This commit is contained in:
Achim D. Brucker 2015-06-01 11:16:16 +02:00
parent 4da3d4e4dd
commit 69e1be00be
21 changed files with 2839 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/eu.aniketos.securebpmn.xacml.parent/pom.xml
View File

@ -14,6 +14,7 @@
<module>../com.sun.xacml.support</module>
<module>../eu.aniketos.securebpmn.xacml.api</module>
<module>../eu.aniketos.securebpmn.xacml.support</module>
<module>../eu.aniketos.securebpmn.xacml.pdpstate</module>
</modules>
<build>
<plugins>

71
src/eu.aniketos.securebpmn.xacml.pdpstate/pom.xml Normal file
View File

@ -0,0 +1,71 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>eu.aniketos.securebpmn.xacml</groupId>
<artifactId>eu.aniketos.securebpmn.xacml.parent</artifactId>
<version>1.0</version>
<relativePath>../eu.aniketos.securebpmn.xacml.parent/pom.xml</relativePath>
</parent>
<artifactId>eu.aniketos.securebpmn.xacml.pdpstate</artifactId>
<version>0.1</version>
<packaging>jar</packaging>
<name>SecureBPMN XACML - PDP State</name>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<build>
<finalName>${artifactId}</finalName>
<plugins>
<!-- Java 1.5 -->
<plugin>
<version>2.3.2</version>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.5</source>
<target>1.5</target>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>[4.8,)</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>[1.2,)</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-core</artifactId>
<version>3.5.4-Final</version>
</dependency>
<dependency>
<groupId>hsqldb</groupId>
<artifactId>hsqldb</artifactId>
<version>[1,)</version>
</dependency>
<dependency>
<groupId>eu.aniketos.securebpmn.xacml</groupId>
<artifactId>eu.aniketos.securebpmn.xacml.api</artifactId>
<version>0.1</version>
</dependency>
<dependency>
<groupId>eu.aniketos.securebpmn.xacml</groupId>
<artifactId>eu.aniketos.securebpmn.xacml.support</artifactId>
<version>1.0</version>
</dependency>
<dependency>
<groupId>eu.aniketos.securebpmn.xacml</groupId>
<artifactId>com.sun.xacml</artifactId>
<version>0.1</version>
</dependency>
</dependencies>
</project>

168
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/DemoPDPStateMgt.java Normal file
View File

@ -0,0 +1,168 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import org.apache.log4j.Logger;
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeDBIdentifier;
/**
*
* This class allows to modify the PDP State directly, i.e.,
* without creating an access control request, getting an
* urn:custom:notifyPDPState obligation and sending it to
* the PDPServer. <br/>
* It is intended as class for setting demos, but can also be used
* to implement simple scenarios where, e.g., the assignment of roles
* is not considered and not policies are therefore available
*
*/
public class DemoPDPStateMgt {
/*
* to modify the pdpState;
*/
private PDPState pdpState;
private Map<String, Dependency> dependencies;
private static final String ROLEASSIGNMENT = "urn:runEx:role:assignment";
private AttributeDBIdentifier roleIdentifier, role_dep1;
private static final String POLICIES = "urn:runEx:activePolicies";
private AttributeDBIdentifier policyIdentifier;
private static DemoPDPStateMgt instance;
private static final Logger logger = Logger.getLogger(DemoPDPStateMgt.class);
public static DemoPDPStateMgt getInstance() {
return instance;
}
public DemoPDPStateMgt() {
instance = this;
dependencies = PDPStateManagement.getInstance().getDependencies();
pdpState = PDPState.getInstance();
Dependency roleAssignment = dependencies.get(ROLEASSIGNMENT);
if ( roleAssignment == null ) {
logger.error("Could not find role assignment definition in the " +
"configuration of PDPStateManagement; you have to define " +
"the role assignment with key " + ROLEASSIGNMENT + " in " +
"the configuration file " + PDPStateManagement.CONFFILE_NAME);
throw new RuntimeException("Missing configuration for dependency " + ROLEASSIGNMENT);
} else {
roleIdentifier = roleAssignment.getAttributeIdentifier();
role_dep1 = roleAssignment.getDependingAttributeIdentifier(0);
}
Dependency policiesAssignment = dependencies.get(POLICIES);
if ( policiesAssignment == null ) {
logger.error("Could not find policy assignment definition in the " +
"configuration of PDPStateManagement; you have to define " +
"the role assignment with key " + POLICIES + " in " +
"the configuration file " + PDPStateManagement.CONFFILE_NAME);
throw new RuntimeException("Missing configuration for dependency " + POLICIES);
} else {
policyIdentifier = policiesAssignment.getAttributeIdentifier();
}
}
public List<String> getRoles(String subjectId) {
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
contextAttrs.add(new AuthoAttribute(role_dep1, subjectId));
return pdpState.getAttribute(roleIdentifier, contextAttrs);
}
public void addRole(String subjectId, String role) {
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
contextAttrs.add(new AuthoAttribute(role_dep1, subjectId));
AuthoAttribute roleAttr = new AuthoAttribute(roleIdentifier, role);
// use default dates assigned by PDPState: now for from, ever for to
pdpState.addAssignment(roleAttr, null, null, contextAttrs);
}
public void removeRole(String subjectId, String role) {
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
contextAttrs.add(new AuthoAttribute(role_dep1, subjectId));
AuthoAttribute roleAttr = new AuthoAttribute(roleIdentifier, role);
pdpState.endAssignment(roleAttr, null, contextAttrs);
}
public List<String> getActivePolicies() {
return pdpState.getAttribute(policyIdentifier, null);
}
public void addActivePolicy(String policyId) {
AuthoAttribute policyAttr = new AuthoAttribute(policyIdentifier, policyId);
pdpState.addAssignment(policyAttr, null, null, null);
}
public void removeActivePolicy(String policyId) {
AuthoAttribute policyAttr = new AuthoAttribute(policyIdentifier, policyId);
pdpState.endAssignment(policyAttr, null, null);
}
// public List<String> getRoles(String subjectId) {
// List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
// contextAttrs.add(new AuthoAttribute(role_dep1, subjectId));
// return pdpState.getAttribute(roleIdentifier, contextAttrs);
// }
// public List<String> getQualifications(String subjectId) {
// //TODO
// return null;
//}
//
//public void addQualifications(String subjectId, String qualification) {
// //TODO qualification
//}
//
//public void removeQualification(String subjectId, String qualification) {
// //TODO
//}
//
//public void createResource(URI resource, String creator) {
//
//}
//
//public String getCreator(URI resource) {
// return null;
//}
//
//public List<String> getDepartments(String subjectId) {
// //TODO
// return null;
//}
//
//public void addDepartment(String subjectId, String department) {
// //TODO qualification
//}
//
//public void removeDepartment(String subjectId, String department) {
// //TODO
//}
}

327
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/Dependency.java Normal file
View File

@ -0,0 +1,327 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate;
import java.io.BufferedReader;
import java.io.IOException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.Vector;
import org.apache.log4j.Logger;
import eu.aniketos.securebpmn.xacml.api.SecurityError;
import eu.aniketos.securebpmn.xacml.api.ErrorType;
import eu.aniketos.securebpmn.xacml.api.ReasonType;
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
import eu.aniketos.securebpmn.xacml.api.autho.DesignatorAttribute;
import eu.aniketos.securebpmn.xacml.api.log.AccessControlRequest;
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeDBIdentifier;
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType;
import eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute;
import eu.aniketos.securebpmn.xacml.pdpstate.db.HibernateUtil;
/**
*
* This class stores the types of known assignments and how to retrieve
* the required information from an XACML request. For example, consider a role
* assignment. The configuration might look like this:<br/>
* dependency:runEx:role:assignment <br/>
* urn:custom:subject:role -> urn:oasis:names:tc:xacml:1.0:subject:subject-id<br/>
* urn:custom:subject:role -> attribute:urn:custom:resource:role<br/>
* urn:oasis:names:tc:xacml:1.0:subject:subject-id -> urn:custom:resource:subject-id<br/>
* <br/>
* This config says:
* <ul>
* <li> define a dependency for the resource (in the XACML policy) runEx:role:assignment</li>
* <li> to retrieve a role, one needs the subject-id (those are keys
* which have to be defined in the configuration file first)</li>
* <li> the attributes for role (urn:custom:subject:role) can be retrieved by getting
* all attribute:urn:custom:resource:role attributes from the XACML request</li>
* <li> the attribute for subject-Id (urn:oasis:names:tc:xacml:1.0:subject:subject-id) can be retrieved
* by getting all urn:custom:resource:subject-id attribues from the XACML request</li>
* </ul>
*
*/
public class Dependency {
/**
* resource for which this assignment is valid (as defined in the configuration file)
* e.g., urn:role:assignment
*/
private String resourceKey;
private AttributeType type;
/**
* all pdpStateDependencies have to be retrieved from an XACML request;
* this map defines which attribute has to be retrieved from the XACML request (value)
* and assigned to which attribute stored in the db (key).
*
* Note that the attributes in the XACML have to be different, e.g., when
* assigning a role, one cannot use the role attribute to define the to be assigned roles,
* i.e., the roles have to treated as resource; so is the subject-id for the role assignment.
*/
private Map<AttributeDBIdentifier, AttributeDBIdentifier> requestDependencies;
private static Logger logger = Logger.getLogger(Dependency.class);
public Dependency(String key, AttributeType type,
Map<AttributeDBIdentifier, AttributeDBIdentifier> requestDependencies) {
this.resourceKey = key;
this.type = type;
this.requestDependencies = requestDependencies;
}
public List<ContextAttribute> getDependingAttributes() {
return type.getCtxTypes();
}
public AttributeDBIdentifier getDependingAttributeIdentifier(int index) {
return type.getCtxTypes().get(index).getAttrId();
}
public AttributeDBIdentifier getAttributeIdentifier() {
return type.getAttrType();
}
public String getResourceKey() {
return resourceKey;
}
/**
* creates a new Assignment based on the configuration file and assures that
* there are no conflicting definitions within the database.
*
* @param resource
* @param reader
* @param attributes
* @return
* @throws IOException
* @throws SyntaxError
*/
public static Dependency readAssignment(String resource, BufferedReader reader,
Map<String, AttributeDBIdentifier> attributes, HibernateUtil dbUtil) throws IOException, SyntaxError {
// get the dependency definition line, e.g., urn:custom:subject:role -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
String dependency = reader.readLine();
int m = dependency.indexOf("->");
if ( m == -1 ) {
throw new SyntaxError("Missing assignment -> ");
}
// get the attribute for which the dependency is defined - key points to a attribute: definition
String key = dependency.substring(0, m).trim();
AttributeDBIdentifier dbKey = attributes.get(key);
if ( dbKey == null ) {
logger.error("Creating Dependency " + resource +", but Attribute with key " + key + " is not defined so far");
throw new SyntaxError("Attribute with key " + key + " is not defined so far");
}
if (logger.isDebugEnabled() ) {
logger.debug("Creating Dependency " + resource + " for attribute " + key + " -> " + dbKey.toString());
}
// read all dependencies for this attribute and create or get AttributeType based on those definitions
List<AttributeIdentifier> dependencies = new Vector<AttributeIdentifier>(); //bullshit, but cannot cast from List<AttributeDBIdentifier> to List<AttributeIdentifier>
// also keep track of all defined dependencies, as they are needed afterwards
List<String> dependencyKeys = new Vector<String>();
dependencyKeys.add(key);
boolean noDependency = false;
StringTokenizer tokenizer = new StringTokenizer(dependency.substring(m + 2), ",");
while (tokenizer.hasMoreTokens()) {
String token = tokenizer.nextToken().trim();
if ( ! (token.length() == 0) ) {
if ( dependencies.size() == 0 && "null".equals(token) ) {
// some attributes may not depend on any other attribute, but they have to define this, i.e., write attributeKey -> null
noDependency = true;
} else {
AttributeDBIdentifier dependent = attributes.get(token);
if ( dependent == null ) {
logger.error("Creating Dependency " + resource +", but Attribute with key " + dependent + " is not defined so far");
throw new SyntaxError("Attribute with key " + dependent + " is not defined so far");
} else {
// dependencies_delete.add(dependent);
dependencies.add(dependent);
dependencyKeys.add(token);
if ( logger.isDebugEnabled() ) {
logger.debug("Found dependency to attribute " + token + ", referencing to " + dependent.toString());
}
}
}
}
}
if ( dependencies.size() == 0 && ! noDependency) {
logger.error("For dependency " + resource + " (attribute " + key + " no dependencies are defined");
throw new SyntaxError("No dependency is defined");
}
AttributeType type = dbUtil.addAttributeType(dbKey, dependencies);
if ( type == null ) {
logger.warn("Could not retrieve AttributeType for configuration of assignment " + dbKey + ": different definition already exists");
throw new SyntaxError("Invalid configuration: Different definition already exists");
} else if (logger.isDebugEnabled() ) {
logger.debug("Got AttributeType with id " + type.getId() + " for dependency:" + resource);
}
/* ok, we got the AttributeType definition for this dependency, now
* we have to get the information which element from a XACML request has to be retrieved
* to update the PDPState accordingly
*/
Map<AttributeDBIdentifier, AttributeDBIdentifier> requestDependencies = new HashMap<AttributeDBIdentifier, AttributeDBIdentifier>();
for ( String dep : dependencyKeys ) {
String confLine = readValueLine(reader);
m = confLine.indexOf("->");
String dbAttr, requAttr;
dbAttr = confLine.substring(0, m).trim();
requAttr = confLine.substring(m + 2, confLine.length()).trim();
if ( ! dbAttr.equals(dep)) {
throw new SyntaxError("Invalid assignment: expected assignment for " + dep + " (line: " + confLine + ")");
} else {
AttributeDBIdentifier requDBAttr = attributes.get(requAttr);
if ( requDBAttr == null ) {
throw new SyntaxError("Attribute with key " + requAttr + " is not defined so far");
} else {
requestDependencies.put(attributes.get(dbAttr), requDBAttr);
if ( logger.isDebugEnabled() ) {
logger.debug("XACML request attr " + requAttr + " is mapped to " + dbAttr + " (" + requDBAttr + " -> " + attributes.get(dbAttr) + ")");
}
}
}
}
return new Dependency(resource, type, requestDependencies);
}
private static String readValueLine(BufferedReader reader) throws IOException, SyntaxError {
String line = reader.readLine().trim();
if ( line.startsWith("#") ) {
return readValueLine(reader);
} else {
return line;
}
}
private List<String> getValues(AccessControlRequest request, AttributeDBIdentifier attr) {
List<String> values = new Vector<String>();
for ( DesignatorAttribute designAttr : request.getDesignatorAttributes()) {
if ( designAttr.getAttrId().equals(attr)) {
values.addAll(designAttr.getValues());
// break; // should be ok, as only one entry for one attr should be there.. anyhow
}
}
for ( AuthoAttribute authoAttr : request.getAttributes()) {
if ( authoAttr.getAttributeIdentifier().equals(attr)) {
values.add(authoAttr.getValue());
}
}
return values;
}
/**
* This functions receives an executed and recorded AccessControlRequest and
* reads all needed values from the xacml request and stores the according
* state changes to the PDPState
* @param request
* @param pdpState
* @throws SecurityError
*/
public void writeStateChange(AccessControlRequest request, PDPState pdpState) throws SecurityError {
// get the values we should assign from the request
List<String> assignValues = getValues(request, requestDependencies.get(type.getAttrType()));
if ( assignValues.size() == 0 ) {
logger.error("Nothing found in the request " + request.getEvaluationId().longValue());
throw new SecurityError(ErrorType.CONFIGURATION_ERROR, ReasonType.PDE_ENGINE_ERROR,
"Request " + request.getEvaluationId() + " did not contain the required information");
}
if ( logger.isDebugEnabled() ) {
StringBuffer message = new StringBuffer("Found " + assignValues.size() + " value(s) (");
for (String value : assignValues ) {
message.append(value + ", ");
}
message.append(") to write to the PDP state for " + this.resourceKey + " (" + this.type.getCtxTypes().size() + " depending ctx Attribute(s))");
logger.debug(message.toString());
}
// depending on the number of context attributes, we have to retrieve those values from the request
// and create the according assignment for the PDP state
if ( type.getCtxTypes().size() == 0 ) {
for ( String value : assignValues ) {
//pdpState.addAssignment(type, value, null, null, null);
pdpState.addAssignment(new AuthoAttribute(type.getAttrType(), value), null, null, null);
}
logger.info("Added " + assignValues.size() + " assignments for " + type.getAttrType() + " to the PDPState");
} else if ( type.getCtxTypes().size() == 1 ) {
// we have the AttributeType which tells us how much context Attributes we need;
// from this, we can get the attribute identifier which identifies the attributes in the xacml request
AttributeDBIdentifier ctxAttrType = requestDependencies.get(type.getCtxTypes().get(0).getAttrId());
// get the according values
List<String> ctxValues = getValues(request, ctxAttrType);
// if there are no values, there is something wrong; terminate
if ( ctxValues == null || ctxValues.size() == 0 ) {
logger.error("Could not find values for contextAttribute " + ctxAttrType + " in the request");
throw new SecurityError(ErrorType.CONFIGURATION_ERROR, ReasonType.PDE_ENGINE_ERROR,
"Request " + request.getEvaluationId() + " did not contain the required information");
} else if ( logger.isDebugEnabled() ) {
StringBuffer message = new StringBuffer("Found " + ctxValues.size() + " value(s) (");
for (String value : ctxValues ) {
message.append(value + ", ");
}
message.append(") for " + ctxAttrType.toString());
logger.debug(message.toString());
}
for ( String value: assignValues ) {
AuthoAttribute valueAttr = new AuthoAttribute(type.getAttrType(), value);
for ( String ctxValue : ctxValues ) {
List<AuthoAttribute> ctxAttr = new Vector<AuthoAttribute>();
ctxAttr.add(new AuthoAttribute(type.getCtxTypes().get(0).getAttrId(), ctxValue));
pdpState.addAssignment(valueAttr, null, null, ctxAttr);
}
}
logger.info("Added " + (assignValues.size()*ctxValues.size()) + " assignments for " + type.getAttrType() + " to the PDPState");
} else {
// here, we do for now only allow one value for every context attribute
List<AuthoAttribute> ctxAttrs = new Vector<AuthoAttribute>();
List<String> ctxValues;
for ( ContextAttribute ctxAttr : type.getCtxTypes() ) {
ctxValues = getValues(request, ctxAttr.getAttrId());
if ( ctxValues.size() != 1) {
logger.error("Expected 1 value for " + ctxAttr.getAttrId() + " in request " +
request.getEvaluationId() + ", but found " + ctxValues.size());
throw new SecurityError(ErrorType.CONFIGURATION_ERROR, ReasonType.PDE_ENGINE_ERROR,
"Request " + request.getEvaluationId() + " did not contain the required information");
} else {
ctxAttrs.add(new AuthoAttribute(ctxAttr.getAttrId(), ctxValues.get(0)));
}
}
for ( String value : assignValues ) {
pdpState.addAssignment(new AuthoAttribute(type.getAttrType(), value), null, null, ctxAttrs);
}
logger.info("Added " + assignValues.size() + " assignments for " + type.getAttrType() + " to the PDPState");
}
}
}

51
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/InvalidAssignmentException.java Normal file
View File

@ -0,0 +1,51 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate;
public class InvalidAssignmentException extends RuntimeException {
private static final long serialVersionUID = -387842157062192483L;
public enum Reason {
OVERLAPPING_ASSIGNMENT, //there already exists an assignment
INVALID_DATE_NO_TIMEFRAME, //the dates do not spawn a time frame, i.e, from is after to
INVALID_DATE_MODIFICATION_OF_PAST, //it is not allowed to do assignments in the past
NO_ASSIGNMENT_AVAILABLE, // for the defined contraints (type, time) no such assignment is available
INVALID_STATE // worst case - invalid state...
}
private Reason reason;
private String message;
public InvalidAssignmentException(Reason reason) {
this.reason = reason;
}
public InvalidAssignmentException(Reason reason, String message) {
this.reason = reason;
this.message = message;
}
public Reason getReason() {
return reason;
}
public String getMessage() {
//TODO generate default message according to reason
return message;
}
}

490
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/PDPState.java Normal file
View File

@ -0,0 +1,490 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate;
import java.io.BufferedInputStream;
import java.io.File;
import java.security.InvalidParameterException;
import java.sql.Timestamp;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.log4j.Logger;
import org.hibernate.Query;
import org.hibernate.Session;
import org.hibernate.SessionFactory;
import org.hibernate.Transaction;
import org.hibernate.cfg.Configuration;
import org.w3c.dom.Document;
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
import eu.aniketos.securebpmn.xacml.pdpstate.InvalidAssignmentException.Reason;
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment;
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType;
import eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute;
import eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttributeAssignment;
import eu.aniketos.securebpmn.xacml.pdpstate.db.HibernateUtil;
/**
*
* Manages the state of the PDP as it can be retrieved from the PDPStateModule.
*
* Changes have to be done through this class ans especially through the HibernateUtil,
* as here some caching is implemented. Bypassing this caching mechanism will result in
* strange errors.
*
*/
public class PDPState {
private static PDPState instance;
public static final String CONFFILE_NAME = "hibernate.pdpState.cfg.xml";
private SessionFactory factory;
private HibernateUtil hibernateUtil;
private static final Logger logger = Logger.getLogger(PDPState.class);
private static final String ATTRTYPE = "attrType",
VALIDAT = "validAt",
VALIDFROM = "validFrom",
VALIDTO = "validTo",
VALUE = "value",
CTXATTRTYP0 = "ctxAttrTypeNull",
CTXATTR0 = "ctxAttrNull",
CTXATTRTYP1 = "ctxAttrTypeOne",
CTXATTR1 = "ctxAttrOne";
public static PDPState getInstance() {
if ( instance == null ) {
createInstance();
}
return instance;
}
private static synchronized void createInstance() {
if ( instance == null ) {
instance = new PDPState();
}
}
private PDPState() {
logger.debug("Starting PDPState Server: Creating SessionFactory");
factory = buildSessionFactory();
factory.openSession();
logger.debug("Creating HibernateUtil");
hibernateUtil = HibernateUtil.createHibernateUtil(factory);
}
private SessionFactory buildSessionFactory() {
try {
File confFile = new File(CONFFILE_NAME);
if ( ! confFile.exists() ) {
// try with conf before...
confFile = new File("conf/" +CONFFILE_NAME);
}
if ( ! confFile.exists() ) {
// try from mvn default test location
confFile = new File("src/test/resources/" +CONFFILE_NAME);
}
if ( confFile.exists()) {
logger.debug("Reading PDPState hibernate configuration from " + confFile.getAbsolutePath());
return new Configuration().configure(confFile).buildSessionFactory();
}
else {
logger.warn("Reading PDPState hibernate configuration from jar; You might define a more accurate " + CONFFILE_NAME);
BufferedInputStream bIs = new BufferedInputStream(this.getClass().getResourceAsStream( "/" + CONFFILE_NAME));
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setValidating(false); // do not validate with DTD (and, therefore, do not die offline with an unkown host exception
factory.setFeature("http://xml.org/sax/features/namespaces", false);
factory.setFeature("http://xml.org/sax/features/validation", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
Document confDoc = factory.newDocumentBuilder().parse(bIs).getDocumentElement().getOwnerDocument();
return new Configuration().configure(confDoc).buildSessionFactory();
}
}
catch (Throwable ex) {
ex.printStackTrace();
logger.error("Initial SessionFactory creation failed." + ex.getClass().getName() + " - " + ex.getMessage());
throw new ExceptionInInitializerError(ex);
}
}
public HibernateUtil getHibernateUtil() {
return this.hibernateUtil;
}
/**
* adds a new attribute type. values in AuthoAttribute are ignored
* @param attributeId
* @param contextInformation
*/
public AttributeType addAttributeType(AuthoAttribute attribute, List<AuthoAttribute> contextAttributes) {
List<AttributeIdentifier> contextIds = null;
if ( contextAttributes != null && contextAttributes.size() > 0 ) {
contextIds = new Vector<AttributeIdentifier>();
for (AuthoAttribute attr : contextAttributes ) {
contextIds.add(attr.getAttributeIdentifier());
}
}
return hibernateUtil.addAttributeType(attribute.getAttributeIdentifier(), contextIds);
}
public List<String> getAttribute(AttributeIdentifier attrId, List<AuthoAttribute> contextAttrValues) {
return getAttribute(attrId, contextAttrValues, new java.util.Date());
}
public List<String> getAttribute(AttributeIdentifier attrId, List<AuthoAttribute> contextAttrValues, Date validAt) {
return getAttribute(attrId, contextAttrValues, new Timestamp(validAt.getTime()));
}
public List<String> getAttribute(AttributeIdentifier attrId, List<AuthoAttribute> contextAttrValues, Timestamp validAt) {
AttributeType attrType = hibernateUtil.getAttributeType(attrId);
List<ContextAttributeAssignment> contextDBAttrs = transformCtxAttr(attrType, contextAttrValues);
return getAttribute(attrType, contextDBAttrs, validAt);
}
/**
* WARNING: This function performs NO sanity checks, thus, you may get weird behavior
* if you provide unchecked and inconsistent parameters.
* <br/>
*
* @param attrType
* @param contextDBAttrs
* @param validAt
* @return
*/
public List<String> getAttribute(AttributeType attrType, List<ContextAttributeAssignment> contextDBAttrs) {
return getAttribute(attrType, contextDBAttrs, new Timestamp(new java.util.Date().getTime()));
}
/**
* WARNING: This function performs NO sanity checks, thus, you may get weird behavior
* if you provide unchecked and inconsistent parameters.
* <br/>
*
* @param attrType
* @param contextDBAttrs
* @param validAt
* @return
*/
@SuppressWarnings("unchecked") // needed for List<String> list = query.list();
public List<String> getAttribute(AttributeType attrType,
List<ContextAttributeAssignment> contextDBAttrs, Timestamp validAt) {
Session session = factory.getCurrentSession();
Transaction t = session.beginTransaction();
Query query = null;
//if ( attrType.getCtxTypes().size() == 0 ) {
if ( contextDBAttrs == null || contextDBAttrs.size() == 0 ) {
//no context attributes are required, easy case!
query = session.getNamedQuery("getAttribute0");
} else if ( contextDBAttrs.size() == 1 ) {
//only one context attribute is required
query = session.getNamedQuery("getAttribute1");
query.setParameter(CTXATTRTYP0, contextDBAttrs.get(0).getCtxAttribute());
query.setParameter(CTXATTR0, contextDBAttrs.get(0).getValue());
} else if ( contextDBAttrs.size() == 2 ) {
query = session.getNamedQuery("getAttribute2");
query.setParameter(CTXATTRTYP0, contextDBAttrs.get(0).getCtxAttribute());
query.setParameter(CTXATTR0, contextDBAttrs.get(0).getValue());
query.setParameter(CTXATTRTYP1, contextDBAttrs.get(1).getCtxAttribute());
query.setParameter(CTXATTR1, contextDBAttrs.get(1).getValue());
} else {
throw new RuntimeException("Only two constraining attributes are supported");
}
query.setParameter(ATTRTYPE, attrType);
query.setParameter(VALIDAT, validAt);
List<String> list = query.list();
t.commit();
return list;
}
public List<Long> getAssignmentIds(AttributeIdentifier attrId, String value,
List<AuthoAttribute> contextAttrValues,
Date validFrom, Date validTo) {
return getAssignmentIds(attrId, value, contextAttrValues, new Date(validFrom.getTime()), new Date(validTo.getTime()));
}
public List<Long> getAssignmentIds(AttributeIdentifier attrId, String value,
List<AuthoAttribute> contextAttrValues, Timestamp validFrom, Timestamp validTo) {
AttributeType attrType = hibernateUtil.getAttributeType(attrId);
List<ContextAttributeAssignment> contextDBAttrs = transformCtxAttr(attrType, contextAttrValues);
return getAssignmentIds(attrType, value, contextDBAttrs, validFrom, validTo);
}
@SuppressWarnings("unchecked")
public List<Long> getAssignmentIds(AttributeType attrType, String value,
List<ContextAttributeAssignment> contextDBAttrs, Date validFrom, Date validTo) {
/* Task: get all IDs which are within the boundaries defined by :validFrom and :validTo
* Idea:
* exclude those which are not within the boundaries, i.e., one of (OR)
* 1) both a.validFrom and a.validTo lie before :validFrom
* 2) both a.validFrom and a.validTo lie after :validTo
* thus,
* NOT ( ( a.validFrom < :validFrom AND a.validTo < :validTo) OR
* ( a.validFrom > :validFrom AND a.validTo > :validTo) )
* resolving the NOT:
* (a.validFrom >= :validFrom OR a.validTo >= :validTo) AND
* (a.validFrom <= :validFrom OR a.validTo <= :validTo)
*
* TODO make version from arni
* a.validFrom <= :validTo AND a.validTo >= :validFrom
*/
Session session = factory.getCurrentSession();
Transaction t = session.beginTransaction();
Query query = null;
if ( contextDBAttrs == null || contextDBAttrs.size() == 0 ) {
query = session.getNamedQuery("getAssignmentIds0");
} else if ( contextDBAttrs.size() == 1) {
query = session.getNamedQuery("getAssignmentIds1");
query.setParameter(CTXATTRTYP0, contextDBAttrs.get(0).getCtxAttribute());
query.setParameter(CTXATTR0, contextDBAttrs.get(0).getValue());
} else if ( contextDBAttrs.size() == 2) {
query = session.getNamedQuery("getAssignmentIds2");
query.setParameter(CTXATTRTYP0, contextDBAttrs.get(0).getCtxAttribute());
query.setParameter(CTXATTR0, contextDBAttrs.get(0).getValue());
query.setParameter(CTXATTRTYP1, contextDBAttrs.get(1).getCtxAttribute());
query.setParameter(CTXATTR1, contextDBAttrs.get(1).getValue());
}else {
throw new RuntimeException("Only two constraining attributes are supported");
}
query.setParameter(ATTRTYPE, attrType);
query.setParameter(VALIDFROM, validFrom);
query.setParameter(VALIDTO, validTo);
query.setParameter(VALUE, value);
List<Long> list = query.list();
t.commit();
return list;
}
public AttributeAssignment addAssignment(AuthoAttribute attribute,
Date validFrom, Date validTo, List<AuthoAttribute> contextAttributes) {
return addAssignment(attribute,
validFrom == null ? null : new Timestamp(validFrom.getTime()),
validTo == null ? null : new Timestamp(validTo.getTime()), contextAttributes);
//return addAssignment(attribute, new Date(validFrom.getTime()), new Date(validTo.getTime()), contextAttributes);
}
public AttributeAssignment addAssignment(AuthoAttribute attribute,
Timestamp validFrom, Timestamp validTo, List<AuthoAttribute> contextAttributes)
throws InvalidAssignmentException {
AttributeType attrType = hibernateUtil.getAttributeType(attribute.getAttributeIdentifier());
if ( attrType == null ) {
logger.info("AttributeType is not jet known by PDPState. Creating new AttributeType for attribute " + attribute.getAttributeIdentifier());
attrType = addAttributeType(attribute, contextAttributes);
}
// transform input to values with db IDs
List<ContextAttributeAssignment> contextDBAttrs = transformCtxAttr(attrType, contextAttributes);
return addAssignment(attrType, attribute.getValue(), validFrom, validTo, contextDBAttrs);
}
public AttributeAssignment addAssignment(AttributeType attrType,
String value, Timestamp validFrom, Timestamp validTo,
List<ContextAttributeAssignment> contextDBAttrs) {
AttributeAssignment assignment = new AttributeAssignment();
assignment.setValue(value);
assignment.setValidFrom(validFrom);
assignment.setValidTo(validTo);
if ( assignment.getValidFrom().after(assignment.getValidTo()) ) {
throw new InvalidAssignmentException(Reason.INVALID_DATE_NO_TIMEFRAME);
}
if ( new Date(new java.util.Date().getTime() - 60*1000).after(assignment.getValidFrom())) {
throw new InvalidAssignmentException(Reason.INVALID_DATE_MODIFICATION_OF_PAST);
}
logger.info("Adding assignment with value \"" + value + "\" for " + attrType.getAttrType().toString());
logger.debug("Checking that there is no existing attribute in the defined time period");
List<Long> assignedIds = getAssignmentIds(attrType, value, contextDBAttrs, validFrom, validTo);
if ( assignedIds != null && assignedIds.size() > 0 ) {
String message = "There are already " + assignedIds.size() + " assignment(s) within the defined scope and time frame";
logger.error(message);
throw new RuntimeException(message);
}
assignment.setAttrType(attrType);
assignment.setCtxAttrAssignments(contextDBAttrs);
if ( contextDBAttrs != null ) {
for ( ContextAttributeAssignment attr : contextDBAttrs ) {
attr.setAttrAssignment(assignment);
}
}
Session session = factory.getCurrentSession();
Transaction tx = session.beginTransaction();
session.save(assignment);
tx.commit();
return assignment;
}
public void endAssignment(AuthoAttribute attribute, Date validTo,
List<AuthoAttribute> contextAttrValues) {
endAssignment(attribute, validTo == null ? null : new Date(validTo.getTime()), contextAttrValues);
}
public void endAssignment(AuthoAttribute attribute, Timestamp validTo,
List<AuthoAttribute> contextAttrValues) {
AttributeType attrType = hibernateUtil.getAttributeType(attribute.getAttributeIdentifier());
List<ContextAttributeAssignment> contextDBAttrs = transformCtxAttr(attrType, contextAttrValues);
endAssignment(attrType, attribute.getValue(), validTo, contextDBAttrs);
}
public void endAssignment(AttributeType attrType,
String value, Timestamp validTo,
List<ContextAttributeAssignment> contextDBAttrs){
if ( validTo == null ) {
//per default, end assignment with now
validTo = new Timestamp(new java.util.Date().getTime());
} else if ( new Date(new java.util.Date().getTime() - 1000).after(validTo)) {
logger.error("It is not permitted to end an assignment in the past");
throw new InvalidAssignmentException(Reason.INVALID_DATE_MODIFICATION_OF_PAST);
}
//Date now = new Date(new java.util.Date().getTime());
List<Long> ids = getAssignmentIds(attrType, value, contextDBAttrs, validTo, validTo);
if ( ids.size() == 0 ) {
logger.error("There is no assignment which could be ended");
throw new InvalidAssignmentException(Reason.NO_ASSIGNMENT_AVAILABLE);
} else if (ids.size() > 1) {
logger.fatal("There are several assignments valid at one time: TODO log details");
throw new InvalidAssignmentException(Reason.INVALID_STATE);
}
Session session = factory.getCurrentSession();
Transaction tx = session.beginTransaction();
//TODO check before in the same session?
AttributeAssignment attrAssign = (AttributeAssignment) session.get(AttributeAssignment.class, ids.get(0));
attrAssign.setValidTo(validTo);
session.update(attrAssign);
tx.commit();
}
public String replaceValue() {
//TODO for assignment where only one value at one point in time is valid
// e.g. active policy version
//
//return old value
return null;
}
/**
* This function does mainly two things: first, the attribute definitions which are contained in
* contextAttributes are transfered to a List of ContextAttributeAssignment (i.e., containing
* a reference to the actual ContextAttribute). Second, a sanity check is done, i.e., if the attributes
* defined by contextAttributes match to the required contextAttributes defined for the
* attributeType
* @param attributeType
* @param contextAttributes
* @return
*/
protected List<ContextAttributeAssignment> transformCtxAttr(AttributeType attributeType, List<AuthoAttribute> contextAttributes) {
// check if meta info defined by AttributeType defines same size of contextAttributes as provided
if ( (attributeType.getCtxTypes() == null ? 0 : attributeType.getCtxTypes().size())
!= (contextAttributes == null ? 0 : contextAttributes.size())) {
String message = "AttributeType for " + attributeType.getAttrType() + " defines " +
(attributeType.getCtxTypes() == null ? 0 : attributeType.getCtxTypes().size()) + " context attributes, but received " +
(contextAttributes == null ? 0 : contextAttributes.size());
logger.error("Invalid Assignment: " + message);
throw new InvalidParameterException(message);
}
AttributeAssignment assignment = new AttributeAssignment();
if ( contextAttributes != null && contextAttributes.size() > 0 ) {
List<ContextAttributeAssignment> contextDBAttrs = new Vector<ContextAttributeAssignment>();
//in most cases there will be only one ctx Attribute; implement "fast way"
if ( contextAttributes.size() == 1 ) {
AuthoAttribute provAttr = contextAttributes.get(0);
ContextAttribute ctxAttr = attributeType.getCtxTypes().get(0);
//check if required IDs match
if ( provAttr.getAttributeIdentifier().hashCode() !=
ctxAttr.getAttrId().hashCode()) {
String message = "AttributeType for " + attributeType.getAttrType() + " defines " +
"another required context attribute (" + ctxAttr.getAttrId() +
") than provided (" + provAttr.getAttributeIdentifier();
logger.error("Invalid Assignment: " + message);
throw new InvalidParameterException(message);
} else {
contextDBAttrs.add(new ContextAttributeAssignment(provAttr.getValue(), ctxAttr, assignment));
return contextDBAttrs;
}
} else {
Map<AttributeIdentifier, ContextAttribute> tmpMap = new HashMap<AttributeIdentifier, ContextAttribute>();
for ( ContextAttribute ctxAttr : attributeType.getCtxTypes() ) {
tmpMap.put(ctxAttr.getAttrId(), ctxAttr);
}
for ( AuthoAttribute attrValue : contextAttributes ) {
if ( tmpMap.containsKey(attrValue.getAttributeIdentifier()) ) {
ContextAttribute ctxAttr = tmpMap.get(attrValue.getAttributeIdentifier());
contextDBAttrs.add(new ContextAttributeAssignment(attrValue.getValue(), ctxAttr, assignment));
} else {
String message = "AttributeType " + attributeType.getAttrType() +
" does not require the context attribute " + attrValue.getAttributeIdentifier();
logger.error("Invalid Assignment: " + message);
throw new InvalidParameterException(message);
}
}
return contextDBAttrs;
}
} else {
return null;
}
}
// session.createQuery("SELECT a.id FROM " +
// AttributeAssignment.class.getName() + " AS a " +
// " INNER JOIN a.ctxAttrAssignments as c " +
// " WHERE a.attrType = :attrType " +
// " AND ( ( a.validFrom >= :validFrom OR a.validTo >= :validTo ) AND " +
// " ( a.validFrom <= :validFrom OR a.validTo <= :validTo ) ) " +
// " AND a.value = :value " +
// " AND c.ctxAttribute = :ctxAttrTypeNull " +
// " AND c.value = :ctxAttrNull");
}

239
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/PDPStateManagement.java Normal file
View File

@ -0,0 +1,239 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate;
import java.io.BufferedInputStream;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import org.apache.log4j.Logger;
import org.apache.log4j.PropertyConfigurator;
import eu.aniketos.securebpmn.xacml.api.SecurityError;
import eu.aniketos.securebpmn.xacml.api.ErrorType;
import eu.aniketos.securebpmn.xacml.api.ReasonType;
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
import eu.aniketos.securebpmn.xacml.api.autho.IPDPStateManagement;
import eu.aniketos.securebpmn.xacml.api.log.AccessControlRequest;
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeDBIdentifier;
import eu.aniketos.securebpmn.xacml.pdpstate.db.HibernateUtil;
public class PDPStateManagement implements IPDPStateManagement {
private static PDPStateManagement instance;
private PDPState pdpState;
private HibernateUtil dbUtil;
//private IPDP pdp;
private Map<String, AttributeDBIdentifier> attributes = new HashMap<String, AttributeDBIdentifier>();
private Map<String, Dependency> dependencies = new HashMap<String, Dependency>();
//private Map<AttributeDBIdentifier, Assignment> dependencies_remove = new HashMap<AttributeDBIdentifier, Assignment>();
private static Logger logger = Logger.getLogger(PDPStateManagement.class);
private static final String ATTRIBUTE = "attribute:",
DEPENDENCY = "dependency:";
public static final String CONFFILE_NAME = "pdpStateDependencies.conf";
public static PDPStateManagement getInstance() {
if ( instance == null ) {
instance = new PDPStateManagement();
}
return instance;
}
public static void main(String[] args) throws FileNotFoundException, IOException {
Properties log4jProps = new Properties();
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
PropertyConfigurator.configure(log4jProps);
PDPStateManagement.getInstance();
}
private PDPStateManagement() {
pdpState = PDPState.getInstance();
dbUtil = pdpState.getHibernateUtil();
try {
// check if there is a conf file on the class path
File confFile = new File(CONFFILE_NAME);
if ( ! confFile.exists() ) {
// try with conf before...
confFile = new File("conf/" +CONFFILE_NAME);
}
if ( ! confFile.exists() ) {
// try from mvn default test location
confFile = new File("src/test/resources/" +CONFFILE_NAME);
}
if ( confFile.exists()) {
logger.info("Reading PDPStateManagement configuration from " + confFile.getAbsolutePath());
readConfig(confFile);
}
else {
logger.warn("Reading PDPStateManagement configuration from jar; You might define a more accurate " + CONFFILE_NAME);
readConfig(this.getClass().getResourceAsStream("/" + CONFFILE_NAME));
}
} catch (IOException e) {
logger.error("Could not configuration file from PDPStateManagement: " + e.getMessage());
throw new RuntimeException(e);
}
}
public Map<String, Dependency> getDependencies() {
return Collections.unmodifiableMap(dependencies);
}
public void updatePDPState(AccessControlRequest request) throws SecurityError {
//get resource and action
URI resource = request.getResource();
Dependency assign = dependencies.get(resource.toString());
if ( assign == null ) {
logger.error("For the resource (" + resource + ") defined in log " + request.getEvaluationId() + " no assignment is defined");
throw new SecurityError(ErrorType.CONFIGURATION_ERROR, ReasonType.PDE_ENGINE_ERROR, "Cannot update the PDPState: missing assignment definition");
} else {
assign.writeStateChange(request, pdpState);
}
}
private void readConfig(File confFile) throws IOException {
readConfig(new FileInputStream(confFile));
}
private void readConfig(InputStream stream) throws IOException {
BufferedReader reader = new BufferedReader(new InputStreamReader(stream));
String key = null;
AttributeDBIdentifier attrId = null;
String line = null;
while ( (line = reader.readLine()) != null ) {
line = line.trim();
if ( ! (line.startsWith("#") || line.length() == 0 ) ) {
if ( line.startsWith(ATTRIBUTE) ) {
key = line.substring(ATTRIBUTE.length(), line.length());
try {
attrId = readAttribute(reader);
if ( attributes.containsKey(key)) {
logger.warn("Overwriting attribute definition with key " + key);
}
attributes.put(key, attrId);
} catch (URISyntaxException e) {
logger.warn("Could not read attribute with key " + key + ": URISyntaxException: " + e.getMessage());
} catch (SyntaxError e) {
logger.warn("Could not read attribute with key " + key + ": Syntax Error: " + e.getMessage());
}
} else if ( line.startsWith(DEPENDENCY)) {
key = "null";
try {
key = line.substring(DEPENDENCY.length(), line.length()).trim();
Dependency assign = Dependency.readAssignment(key, reader, attributes, dbUtil);
if (dependencies.containsKey(key)) {
logger.warn("Overwriting dependency definition with key " + key);
}
this.dependencies.put(key, assign);
} catch (SyntaxError e) {
logger.warn("Could not read dependency with key " + key + ": SyntaxError: " + e.getMessage());
}
} else {
logger.warn("Ignoring misplace line " + line);
}
}
}
}
private AttributeDBIdentifier readAttribute(BufferedReader reader) throws IOException, URISyntaxException, SyntaxError {
URI category, attributeId, dataType, issuer;
category = readValueLine(reader);
dataType = readValueLine(reader);
attributeId = readValueLine(reader);
issuer = readValueLine(reader);
AttributeIdentifier attr = new AttributeIdentifier(category, dataType, attributeId, issuer);
return dbUtil.getAttributeDBIdentifier(attr);
}
private URI readValueLine(BufferedReader reader) throws IOException, URISyntaxException, SyntaxError {
String line = reader.readLine().trim();
if ( line.startsWith("#") ) {
return readValueLine(reader);
}
if ( "null".equals(line)) {
return null;
}
if ( line.length() == 0 || line.startsWith(ATTRIBUTE) || line.startsWith(DEPENDENCY)) {
throw new SyntaxError("Invalid line after attribute declaration: " + line);
}
return new URI(line);
}
// private void addDependency(String dependency) throws SyntaxError {
// int m = dependency.indexOf("->");
// if ( m == -1 ) {
// throw new SyntaxError("Missing assignment -> ");
// }
// String key = dependency.substring(0, m).trim();
// AttributeDBIdentifier dbKey = attributes.get(key);
//
//
// if ( dbKey == null ) {
// throw new SyntaxError("Attribute with key " + key + " is not defined so far");
// }
// List<AttributeDBIdentifier> dependencies = new Vector<AttributeDBIdentifier>();
// StringTokenizer tokenizer = new StringTokenizer(dependency.substring(m + 2), ",");
// while (tokenizer.hasMoreTokens()) {
// String token = tokenizer.nextToken().trim();
// if ( ! (token.length() == 0) ) {
// // some attributes may not depend on any other attribute
// if ( dependencies.size() == 0 && "null".equals(token) ) {
// this.dependenciesString.put(key, dependencies);
// this.dependencies.put(dbKey, dependencies);
// return;
// }
// AttributeDBIdentifier dependent = attributes.get(token);
// if ( dependent == null ) {
// throw new SyntaxError("Attribute with key " + dependent + " is not defined so far");
// } else {
// dependencies.add(dependent);
// }
// }
// }
// if ( dependencies.size() == 0 ) {
// throw new SyntaxError("No dependency is defined");
// }
// this.dependenciesString.put(key, dependencies);
// this.dependencies.put(dbKey, dependencies);
//}
//
//
}

31
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/SyntaxError.java Normal file
View File

@ -0,0 +1,31 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate;
/**
*
* Local exception which allows Dependency throw errors about illegal
* syntax to PDPStateAssignment
*
*/
class SyntaxError extends Exception {
private static final long serialVersionUID = -6261081989869542809L;
public SyntaxError(String string) {
super(string);
}
}

121
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/db/AttributeAssignment.java Normal file
View File

@ -0,0 +1,121 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate.db;
import java.sql.Timestamp;
import java.util.List;
/**
* This class represents a instantiation of the AttributeType meta-data class.
*
*/
public class AttributeAssignment {
/**
* DB generated ID
*/
protected long id = -1;
/**
* value for which it is valid, e.g., nurse
*/
protected String value;
/**
* beginning with which date the assignment is valid, per default -infinite
*/
protected Timestamp validFrom;
/**
* up to when the assignment is valid, per default +infinite
*/
protected Timestamp validTo;
/**
* which attributeType is instantiated; there, the meta data are stored, e.g.,
* that this is an assignment of an attribute "role".
*/
protected AttributeType attrType;
/**
* a list of attached attributes which are required from the context
* e.g., the subject-id with value "carol@myhospital.com"
*/
protected List<ContextAttributeAssignment> ctxAttrAssignments;
public AttributeAssignment() {
this.setValidFrom(null);
this.setValidTo(null);
}
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
public String getValue() {
return value;
}
public void setValue(String value) {
this.value = value;
}
public Timestamp getValidFrom() {
return validFrom;
}
public void setValidFrom(Timestamp validFrom) {
this.validFrom = validFrom;
if ( this.validFrom == null ) {
this.validFrom = new Timestamp(new java.util.Date().getTime());
}
}
public Timestamp getValidTo() {
return validTo;
}
public void setValidTo(Timestamp validTo) {
this.validTo = validTo;
if ( this.validTo == null ) {
this.validTo = new Timestamp(Long.MAX_VALUE);
}
}
public AttributeType getAttrType() {
return attrType;
}
public void setAttrType(AttributeType attributeType) {
this.attrType = attributeType;
}
public List<ContextAttributeAssignment> getCtxAttrAssignments() {
return ctxAttrAssignments;
}
public void setCtxAttrAssignments(
List<ContextAttributeAssignment> ctxAttrAssignments) {
this.ctxAttrAssignments = ctxAttrAssignments;
}
}

73
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/db/AttributeDBIdentifier.java Normal file
View File

@ -0,0 +1,73 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate.db;
import java.net.URI;
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
/**
* This class contains meta-data for the PDPState.
* <br/>
* allows to identify and reference an attribute as it is used within XACML;
* for the PDPState, this is more or less meta data information; i.e., all different
* types of attributes are listed here.
*
* this is the same implementation as for the LogServer; may be merged if both
* implementation are moved to one jar
*
*/
public class AttributeDBIdentifier extends AttributeIdentifier {
protected int id = -1;
public AttributeDBIdentifier(URI category, URI attributeType, URI attributeId, URI issuer) {
super(category, attributeType, attributeId, issuer);
}
public AttributeDBIdentifier(AttributeIdentifier attrId) {
super(attrId.getCategory(), attrId.getAttributeType(), attrId.getAttributeId(), attrId.getIssuer());
}
protected AttributeDBIdentifier() {
}
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public void setCategory(URI categrory) {
super.category = categrory;
}
public void setAttributeType(URI attributeType) {
super.attributeType = attributeType;
}
public void setAttributeId(URI attributeId) {
super.attributeId = attributeId;
}
public void setIssuer(URI issuer) {
super.issuer = issuer;;
}
}

83
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/db/AttributeType.java Normal file
View File

@ -0,0 +1,83 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate.db;
import java.util.List;
/**
* This class contains meta-data for the PDPState.
* <br/>
* The "main" metaData class for the PDPState; here, all known
* assignments are stored. This is needed to keep the database in
* a consistent and non-redundant state and to allow the PDPStateModule
* to retrieve the context information from the PDP in an easy way
*
*/
public class AttributeType {
/**
* DB generated ID
*/
protected int id = -1;
/**
* The type of attribute which can be resolved by this attributeType,
* e.g, role
*/
protected AttributeDBIdentifier attrType;
/**
* List of required attributes which are required to determine the
* assigned value (may be empty, e.g., in case of active policies),
* example: subject-id for attrTyp role
*/
protected List<ContextAttribute> ctxTypes;
public AttributeType(AttributeDBIdentifier attrType, List<ContextAttribute> ctxTypes) {
this.attrType = attrType;
this.ctxTypes = ctxTypes;
}
//empty constructor for hibernate
public AttributeType() {}
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public AttributeDBIdentifier getAttrType() {
return attrType;
}
public void setAttrType(AttributeDBIdentifier attrType) {
this.attrType = attrType;
}
public List<ContextAttribute> getCtxTypes() {
return ctxTypes;
}
public void setCtxTypes(List<ContextAttribute> ctxTypes) {
this.ctxTypes = ctxTypes;
}
}

75
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/db/ContextAttribute.java Normal file
View File

@ -0,0 +1,75 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate.db;
/**
* This class contains meta-data for the PDPState.
* <br/>
* It is (more or less) the technical implementation of the n:m mapping
* from AttributeType to AttributeDBIdentifier; however, it is referenced
* from ContextAttributeAssignment (mainly out of consistency and data
* space reasons) and therefore implemented as disting class
*
*/
public class ContextAttribute {
/**
* DB generated ID
*/
protected int id = -1;
/**
* defines the required attributeId
*/
protected AttributeDBIdentifier attrId;
/**
* the AttributeType it is assigned to
*/
protected AttributeType attrType;
public ContextAttribute() {}
public ContextAttribute(AttributeDBIdentifier attrId, AttributeType attrType) {
this.attrId = attrId;
this.attrType = attrType;
}
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public AttributeDBIdentifier getAttrId() {
return attrId;
}
public void setAttrId(AttributeDBIdentifier attrId) {
this.attrId = attrId;
}
public AttributeType getAttrType() {
return attrType;
}
public void setAttrType(AttributeType attrType) {
this.attrType = attrType;
}
}

123
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/db/ContextAttributeAssignment.java Normal file
View File

@ -0,0 +1,123 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate.db;
/**
* This class represents an assignment of a context attribute
* to an attribute assignment; one could also see ContextAttributeAssignments
* as constraints when a attributeAssignment is valid.
*/
public class ContextAttributeAssignment {
/**
* DB generated ID
*/
protected long id = -1;
/**
* the assigned value, e.g, nurse@hospital.de
*/
protected String value;
/**
* the context attribute which is instaniated
*/
protected ContextAttribute ctxAttribute;
/**
* the attribute assignment which is "constrained" with this
* context attribute assignment
*/
protected AttributeAssignment attrAssignment;
public ContextAttributeAssignment() {}
public ContextAttributeAssignment(String value, ContextAttribute ctxAttribute, AttributeAssignment attrAssignment) {
this.value = value;
this.ctxAttribute = ctxAttribute;
this.attrAssignment = attrAssignment;
}
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
public String getValue() {
return value;
}
public void setValue(String value) {
this.value = value;
}
public ContextAttribute getCtxAttribute() {
return ctxAttribute;
}
public void setCtxAttribute(ContextAttribute ctxAttribute) {
this.ctxAttribute = ctxAttribute;
}
public AttributeAssignment getAttrAssignment() {
return attrAssignment;
}
public void setAttrAssignment(AttributeAssignment attrAssignment) {
this.attrAssignment = attrAssignment;
}
// protected AttributeDBIdentifier attrType;
//
// public ContextAttributeAssignment(AttributeDBIdentifier attrType, String value) {
// this.attrType = attrType;
// this.value = value;
// }
//
// //empty constructor for hibernate
// public ContextAttributeAssignment() {}
//
// public Long getId() {
// return id;
// }
//
// public void setId(Long id) {
// this.id = id;
// }
//
// public AttributeDBIdentifier getAttrType() {
// return attrType;
// }
//
// public void setAttrType(AttributeDBIdentifier attrType) {
// this.attrType = attrType;
// }
//
// public String getValue() {
// return value;
// }
//
// public void setValue(String value) {
// this.value = value;
// }
}

210
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/db/HibernateUtil.java Normal file
View File

@ -0,0 +1,210 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate.db;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import org.apache.log4j.Logger;
import org.hibernate.Query;
import org.hibernate.Session;
import org.hibernate.SessionFactory;
import org.hibernate.Transaction;
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
/**
* loads and caches the meta data tables
*
*/
public class HibernateUtil {
private static final Logger logger = Logger.getLogger(HibernateUtil.class);
private SessionFactory sessionFactory;
private Map<AttributeIdentifier, AttributeDBIdentifier> attrIds = null;
private Map<AttributeIdentifier, AttributeType> attrTypeIds = null;
private static HibernateUtil instance;
/**
* not that the HibernateUtil has to be instanciated first
* @return
*/
public static HibernateUtil getInstance() {
return instance;
}
public synchronized static HibernateUtil createHibernateUtil(SessionFactory factory) {
if ( instance != null ) {
logger.warn("HibernateUtil instance already exists");
}
instance = new HibernateUtil(factory);
return instance;
}
private HibernateUtil(SessionFactory factory) {
this.sessionFactory = factory;
attrIds = new HashMap<AttributeIdentifier, AttributeDBIdentifier>();
attrTypeIds = new HashMap<AttributeIdentifier, AttributeType>();
Session session = sessionFactory.getCurrentSession();
Transaction tx = session.beginTransaction();
Query query = session.createQuery("from " + AttributeDBIdentifier.class.getName());
List<?> l = query.list();
for ( Object val : l) {
AttributeDBIdentifier i = (AttributeDBIdentifier) val;
attrIds.put(i, i);
logger.debug("loaded AttrID " + i + ": " + i.getId());
}
query = session.createQuery("from " + AttributeType.class.getName());
l = query.list();
for ( Object val : l ) {
AttributeType i = ( AttributeType ) val;
attrTypeIds.put(i.getAttrType(), i);
logger.debug("loaded AttrType " + i.getAttrType() + ": " + i.getId());
}
tx.commit();
logger.info("Created HibernateUtil: " + attrIds.size() + " AttributeIdentifier(s), " + attrTypeIds.size() + " AttributeType(s)");
}
/**
* returns an attribute Identifier containing the ID from the database and therefore
* useable for database write and update operations
* @param attrId
* @return
*/
public AttributeDBIdentifier getAttributeDBIdentifier(AttributeIdentifier attrId) {
if ( attrIds.containsKey(attrId) ) {
return attrIds.get(attrId);
} else {
return addAttributeIdentifier(attrId);
}
}
/**
* returns if an attribute is already stored in the database
* @param attrId
* @return
*/
public boolean contains(AttributeIdentifier attrId) {
return attrTypeIds.containsKey(attrId);
}
/**
* add an attribute identifier to the database;<br/>
*
* this function checks first if the attribute is already stored, i.e., it
* can be called without the need to check if the attribute is already there.
* @param attrId
* @return
*/
public synchronized AttributeDBIdentifier addAttributeIdentifier(AttributeIdentifier attrId) {
if ( attrIds.containsKey(attrId) ) {
return attrIds.get(attrId);
} else {
AttributeDBIdentifier dbid = new AttributeDBIdentifier(attrId);
Session session = sessionFactory.getCurrentSession();
Transaction tx = session.beginTransaction();
session.save(dbid);
tx.commit();
logger.debug("Inserted AttrId " + dbid.getId() + " " + attrId);
attrIds.put(attrId, dbid);
return dbid;
}
}
/**
* checks if already some meta data (i.e., the AttributeType) for an
* attribute identifier is known by the database
* @param attrId
* @return
*/
public AttributeType getAttributeType(AttributeIdentifier attrId) {
return attrTypeIds.get(attrId);
}
/**
* add an attribute type to the database;<br/>
*
* this function checks first if the attribute type is already stored, i.e., it
* can be called without the need to check if the attribute type is already there.
* @param attrId
* @param contextAttr
* @return
*/
public synchronized AttributeType addAttributeType(AttributeIdentifier attrId, List<AttributeIdentifier> contextAttr) {
if ( attrTypeIds.containsKey(attrId) ) {
// this type is already defined, check if the given and the existing definition match
AttributeType type = attrTypeIds.get(attrId);
if ( type.getCtxTypes().size() != contextAttr.size() ) {
logger.warn("Existing AttributeType " + attrId + " does not match provided type definition (different context attribute count)");
return null;
}
if ( type.getCtxTypes().size() == 1 ) {
if ( ! type.getCtxTypes().get(0).getAttrId().equals(contextAttr.get(0)) ) {
logger.warn("Existing AttributeType " + attrId + " does not match provided type definition (contextAttr type does not match)");
return null;
}
} else if ( type.getCtxTypes().size() > 1 ) {
for ( ContextAttribute attr : type.getCtxTypes()) {
if ( ! contextAttr.contains(attr.getAttrType())) {
logger.warn("Existing AttributeType " + attrId + " does not match provided type definition (contextAttr type do not match)");
return null;
}
}
}
return type;
} else {
// List<AttributeDBIdentifier> contextDBAttrs = null;
// if ( contextAttr != null && contextAttr.size() > 0 ) {
// contextDBAttrs = new Vector<AttributeDBIdentifier>();
// for ( AttributeIdentifier id : contextAttr ) {
// contextDBAttrs.add(getAttributeDBIdentifier(id));
// }
// }
AttributeType attrType = new AttributeType();
attrType.setAttrType(getAttributeDBIdentifier(attrId));
List<ContextAttribute> contextDBAttrs = null;
if ( contextAttr != null && contextAttr.size() > 0 ) {
contextDBAttrs = new Vector<ContextAttribute>();
System.out.println("addAttributeType: " + attrType.getAttrType().getId() + ", " + attrType.getAttrType().toString());
for ( AttributeIdentifier id : contextAttr ) {
contextDBAttrs.add( new ContextAttribute(getAttributeDBIdentifier(id), attrType));
}
}
attrType.setCtxTypes(contextDBAttrs);
Session session = sessionFactory.getCurrentSession();
Transaction tx = session.beginTransaction();
session.save(attrType);
tx.commit();
logger.debug("Inserted AttrId " + attrType.getId() + " " + attrType);
attrTypeIds.put(attrId, attrType);
return attrType;
}
}
}

157
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/java/eu/aniketos/securebpmn/xacml/pdpstate/xacml/PDPStateModule.java Normal file
View File

@ -0,0 +1,157 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate.xacml;
import java.net.URI;
import java.sql.Timestamp;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Vector;
import org.apache.log4j.Logger;
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
import eu.aniketos.securebpmn.xacml.pdpstate.PDPState;
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeDBIdentifier;
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType;
import eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute;
import eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttributeAssignment;
import eu.aniketos.securebpmn.xacml.pdpstate.db.HibernateUtil;
import eu.aniketos.securebpmn.xacml.support.finder.IPDPStateEvaluationContext;
import com.sun.xacml.ConfigurationStore;
import com.sun.xacml.EvaluationCtx;
import com.sun.xacml.ParsingException;
import com.sun.xacml.UnknownIdentifierException;
import com.sun.xacml.attr.AttributeFactory;
import com.sun.xacml.attr.AttributeValue;
import com.sun.xacml.attr.BagAttribute;
import com.sun.xacml.cond.EvaluationResult;
import com.sun.xacml.finder.AttributeFinderModule;
/**
* PDPState modules uses the backend database to check if it is responsible;
* if yes, it retrieves the information which attributes have to be resolved
* from the context form the database (which is more or less configuration and meta data).
* After retrieving the required data from the context, the actual assignments
* are queried from the database, the result is returned to the PDP
*
*/
public class PDPStateModule extends AttributeFinderModule {
private static PDPState pdpState = PDPState.getInstance();
private static HibernateUtil dbUtil = pdpState.getHibernateUtil();
private static final Logger logger = Logger.getLogger(PDPStateModule.class);
protected ConfigurationStore conf;
public boolean isDesignatorSupported() {
return true;
}
public void setConfigurationStore(ConfigurationStore conf) {
this.conf = conf;
}
@Override
public EvaluationResult findAttribute(URI category, URI attributeType,
URI attributeId, URI issuer,
EvaluationCtx context) {
AttributeIdentifier attrId = new AttributeIdentifier(category, attributeType, attributeId, issuer);
logger.debug("Got request for " + attrId.toString());
// check if we could have some value for this attribute
if ( dbUtil.contains(attrId)) {
//we are responsible, get what is there
AttributeType attrType = dbUtil.getAttributeType(attrId);
if ( logger.isDebugEnabled() ) {
logger.debug("Found AttributeType (id " + attrType.getId() + ") with " +
( attrType.getCtxTypes() == null ? "0" : attrType.getCtxTypes().size()) +
" dependencies");
}
//check if we have to resolve some context information and if yes, resolve it
List<ContextAttribute> contextAttrs = attrType.getCtxTypes();
List<ContextAttributeAssignment> contextAttrValues = null;
if ( contextAttrs != null && contextAttrs.size() > 0 ) {
contextAttrValues = new Vector<ContextAttributeAssignment>();
for ( ContextAttribute contextAttr : contextAttrs ) {
AttributeDBIdentifier id = contextAttr.getAttrId();
EvaluationResult result = context.getAttribute(id.getCategory(), id.getAttributeType(),
id.getAttributeId(), id.getIssuer());
if ( !result.getAttributeValue().isBag() ||
((BagAttribute) result.getAttributeValue()).size() != 1 ) {
logger.error("Did not retreive a bag with one (" +((BagAttribute) result.getAttributeValue()).size() +
") entry after attribute search! " +
"PDPStateModule allows only one value of dependent context attributes");
//TODO throw indeterminate message
return new EvaluationResult(BagAttribute.createEmptyBag(attributeType));
} else {
AttributeValue attrVal = ((BagAttribute) result.getAttributeValue()).iterator().next();
//X1 contextAttrValues.add(new ContextAttributeAssignment(contextAttr, attrVal.toString()));
// the
contextAttrValues.add(new ContextAttributeAssignment(attrVal.encode(), contextAttr, null));
logger.debug("Resolved " +attrVal.encode() + " for attribute " + id.toString() + " from the context");
}
}
}
// check if we have a specific context which tells us the exact point in time for which
// the attributes have to be resolved
Date queryTime = null;
if ( context instanceof IPDPStateEvaluationContext ) {
queryTime = ((IPDPStateEvaluationContext)context).getExecTime();
} else {
queryTime = new Date();
}
// execute query on pdpState
List<String> values = pdpState.getAttribute(attrType, contextAttrValues, new Timestamp(queryTime.getTime()));
if ( logger.isDebugEnabled() ) {
StringBuffer buff = new StringBuffer("Found " + values.size() + " value(s): ");
for (String value : values ) {
buff.append(value + ", ");
}
logger.debug(buff.toString());
}
if ( values == null || values.size() == 0 ){
return new EvaluationResult(BagAttribute.createEmptyBag(attributeType));
} else {
Collection<AttributeValue> attrValues = new Vector<AttributeValue>();
AttributeFactory attrFactory = AttributeFactory.getInstance();
for ( String value : values) {
try {
attrValues.add(attrFactory.createValue(attributeType, value));
} catch (UnknownIdentifierException e) {
logger.error("UnknownIdentifierException - " + e.getMessage() + ": cannot transform " + value + " to an attributeValue of type" + attributeType, e);
} catch (ParsingException e) {
logger.error("ParsingException - " + e.getMessage() + ": cannot transform " + value + " to an attributeValue of type" + attributeType, e);
}
}
return new EvaluationResult(new BagAttribute(attributeType, attrValues));
}
} else {
logger.debug("DBState does not have any value for this AttributeType");
// we are not responsible.. DBState does not have any value...
return new EvaluationResult(BagAttribute.createEmptyBag(attributeType));
}
}
}

103
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/resources/eu.aniketos.pdpState.xml Normal file
View File

@ -0,0 +1,103 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN" "http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd">
<hibernate-mapping>
<!-- AttributeDBIdentifier ATTRIBUTE_ID
contains meta information about managed attribute types -->
<class name="eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeDBIdentifier" table="ATTRIBUTE_ID">
<id name="id" column="ATTRIBUTE_ID_ID">
<generator class="native"/>
</id>
<property name="category" column="CATEGORY"/>
<property name="attributeType" column="TYPE" not-null="true"/>
<property name="attributeId" column="ATTRIBUTE_ID" not-null="true"/>
<property name="issuer" column="ISSUER"/>
</class>
<!-- ContextAttribute CONTEXT_ATTRIBUTE
n:m mapping between AttributeDBIdentifier and AttributeType as explicit class,
to be able to reference it from ContextAttribute Assignment -->
<class name="eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute" table="CONTEXT_ATTRIBUTE">
<id name="id" column="CONTEXT_ATTRIBUTE_ID">
<generator class="native"/>
</id>
<many-to-one name="attrId" column="ATTR_ID" lazy="false" not-null="true"/>
<many-to-one name="attrType" column="ATTRTYPE_ID" lazy="false" not-null="true"/>
</class>
<!-- AttributeType ATTRIBUTE_TYPE
contains meta information about managed attribute assignments -->
<class name="eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType" table="ATTRIBUTE_TYPE">
<id name="id" column="ATTRIBUTE_TYPE_ID">
<generator class="native"/>
</id>
<many-to-one name="attrType" column="ATTR_ID" not-null="true"/>
<bag name="ctxTypes" lazy="false" cascade="all">
<key column="ATTRTYPE_ID"/>
<one-to-many class="eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute"/>
<!-- -->
</bag>
</class>
<!-- ContextAttributeAssignment CTXATTR_ASSIGNMENT -->
<class name="eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttributeAssignment" table="CTXATTR_ASSIGNMENT">
<id name="id" column="CTXATTR_ASSIGNMENT_ID">
<generator class="native"/>
</id>
<property name="value" column="VALUE"/>
<many-to-one name="ctxAttribute" lazy="false" column="CTXATTR_ID" class="eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute"/>
<many-to-one name="attrAssignment" lazy="false" column="ASSIGNMENT_ID" class="eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment"/>
</class>
<!-- -->
<class name="eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment" table="ATTR_ASSIGNMENT">
<id name="id" column="ATTR_ASSIGNMENT_ID">
<generator class="native"/>
</id>
<property name="value" column="VALUE" not-null="true"/>
<property name="validFrom" column="VALID_FROM" not-null="true"/>
<property name="validTo" column="VALID_TO" not-null="true"/>
<many-to-one name="attrType" column="ATTR_TYPE" class="eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType"/>
<bag name="ctxAttrAssignments" lazy="false" cascade="all">
<key column="ASSIGNMENT_ID"/>
<one-to-many class="eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttributeAssignment"/>
</bag>
</class>
<query name="getAttribute0"><![CDATA[SELECT a.value FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
WHERE a.attrType = :attrType
AND a.validTo >= :validAt AND a.validFrom <= :validAt ]]></query>
<query name="getAttribute1"><![CDATA[SELECT a.value FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
INNER JOIN a.ctxAttrAssignments as c
WHERE a.attrType = :attrType
AND a.validTo >= :validAt AND a.validFrom <= :validAt
AND c.ctxAttribute = :ctxAttrTypeNull
AND c.value = :ctxAttrNull ]]></query>
<query name="getAttribute2"><![CDATA[SELECT a.value FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
INNER JOIN a.ctxAttrAssignments as cnull
INNER JOIN a.ctxAttrAssignments as cone
WHERE a.attrType = :attrType
AND a.validTo >= :validAt AND a.validFrom <= :validAt
AND cnull.ctxAttribute = :ctxAttrTypeNull
AND cnull.value = :ctxAttrNull
AND cone.ctxAttribute = :ctxAttrTypeOne
AND cone.value = :ctxAttrOne]]></query>
<query name="getAssignmentIds0"><![CDATA[SELECT a.id FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
WHERE a.attrType = :attrType
AND ( ( a.validFrom >= :validFrom OR a.validTo >= :validTo ) AND
( a.validFrom <= :validFrom OR a.validTo <= :validTo ) )
AND a.value = :value]]></query>
<query name="getAssignmentIds1"><![CDATA[SELECT a.id FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
INNER JOIN a.ctxAttrAssignments as c
WHERE a.attrType = :attrType
AND ( ( a.validFrom >= :validFrom OR a.validTo >= :validTo ) AND
( a.validFrom <= :validFrom OR a.validTo <= :validTo ) )
AND a.value = :value
AND c.ctxAttribute = :ctxAttrTypeNull
AND c.value = :ctxAttrNull]]></query>
<query name="getAssignmentIds2"><![CDATA[SELECT a.id FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
INNER JOIN a.ctxAttrAssignments as cnull
INNER JOIN a.ctxAttrAssignments as cone
WHERE a.attrType = :attrType
AND ( ( a.validFrom >= :validFrom OR a.validTo >= :validTo ) AND
( a.validFrom <= :validFrom OR a.validTo <= :validTo ) )
AND a.value = :value
AND cnull.ctxAttribute = :ctxAttrTypeNull
AND cnull.value = :ctxAttrNull
AND cone.ctxAttribute = :ctxAttrTypeOne
AND cone.value = :ctxAttrOne]]></query>
</hibernate-mapping>

29
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/resources/hibernate.pdpState.cfg.xml Normal file
View File

@ -0,0 +1,29 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE hibernate-mapping PUBLIC
"-//Hibernate/Hibernate Mapping DTD 3.0//EN"
"http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">
<hibernate-configuration>
<session-factory>
<!-- Database connection settings -->
<property name="connection.driver_class">org.hsqldb.jdbcDriver</property>
<property name="connection.url">jdbc:hsqldb:hsql://localhost/pdpstate</property>
<property name="connection.username">sa</property>
<property name="connection.password"></property>
<!-- JDBC connection pool (use the built-in) -->
<property name="connection.pool_size">1</property>
<!-- SQL dialect -->
<property name="dialect">org.hibernate.dialect.HSQLDialect</property>
<!-- Enable Hibernate's automatic session context management -->
<property name="current_session_context_class">thread</property>
<!-- Disable the second-level cache -->
<property name="cache.provider_class">org.hibernate.cache.NoCacheProvider</property>
<!-- Echo all executed SQL to stdout -->
<property name="show_sql">true</property>
<!-- property name="format_sql">true</property -->
<!-- Drop and re-create the database schema on startup -->
<property name="hbm2ddl.auto">create</property> <!-- create vs validate vs create-drop -->
<mapping resource="eu.aniketos.securebpmn.xacml.pdpstate.xml" />
</session-factory>
</hibernate-configuration>

180
src/eu.aniketos.securebpmn.xacml.pdpstate/src/main/resources/pdpStateDependencies.conf Normal file
View File

@ -0,0 +1,180 @@
#
# this config files defines the used attributes and
# dependencies between attributes.
# empty lines and lines starting with # are ignored
#
# to define an attribute, write
#attribute:<key>
#<category>
#<dataType>
#<attributeId>
#<issuer>
#
# category, attributeId, dataType, and issuer have to be an URI (java.net.URI),
# issuer may be defined as "null". For example, the XACML standard resource id
# can be defined with
#attribute:urn:oasis:names:tc:xacml:1.0:resource:resource-id
#urn:oasis:names:tc:xacml:3.0:attribute-category:resource
#http://www.w3.org/2001/XMLSchema#string
#urn:oasis:names:tc:xacml:1.0:resource:resource-id
#null
#
# to define a dependency, write
#dependency:<resource>
#<key> -> null|[<dependent-key>, ]
#<key_n> -> <xacml-attr>
#
# <resource> is the resource (standard resource-id as defined in policy,
# e.g., a role assignment modelled as resource urn:runEx:role:assignment)
# <key> is the AttrType for which this depenedency is defined (e.g.,
# urn:custom:subject:role, using the key defined in the attribute: definition)
# <dependent-key> are those attributes (identified along the key of the
# attribute: definition) which are required at runtime to resolve the
# attribute, e.g., subject-id to resolve a role
# <key_n> -> <xacml-attr> defines the value of which xacml-attr of a request
# should be used for the dependent-key key_n
#
# For example
#dependency:urn:runEx:role:assignment
#urn:custom:subject:role -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
#urn:custom:subject:role -> urn:custom:resource:role
#urn:oasis:names:tc:xacml:1.0:subject:subject-id -> urn:custom:resource:subject-id
#
# defines that the role assignment in the xacml policy is modelled as resource
# urn:runEx:role:assignment and changes to this resource should trigger a
# policyState change.
# the AttrType urn:custom:subject:role requires the subject-id to be resolved
# at runtime. The value for the role (i.e., which role is assigned) can be
# retrieved from the request by getting the attribute urn:custom:resource:role
# from the request, the value for the subject (i.e., to which the role is
# assigned) can be retrieved by getting urn:custom:resource:subject-id from the
# request
#
#
# Note: an attribute has to be defined before it can be used within a
# dependency definition
#standard subject-id
attribute:urn:oasis:names:tc:xacml:1.0:subject:subject-id
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
http://www.w3.org/2001/XMLSchema#string
urn:oasis:names:tc:xacml:1.0:subject:subject-id
null
#standard resource-id
attribute:urn:oasis:names:tc:xacml:1.0:resource:resource-id
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
http://www.w3.org/2001/XMLSchema#string
urn:oasis:names:tc:xacml:1.0:resource:resource-id
null
#currentlyClaimedTasks
attribute:urn:custom:resource:cc-tasks
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
http://www.w3.org/2001/XMLSchema#string
urn:custom:resource:cc-tasks
null
#delegationCounter
attribute:urn:custom:resource:delegationCounter
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
http://www.w3.org/2001/XMLSchema#string
urn:custom:resource:delegationCounter
null
#role (assigned to subject)
attribute:urn:custom:subject:role
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
http://www.w3.org/2001/XMLSchema#string
urn:custom:subject:role
null
#if subject-id is treated as resource, e.g., if a role is assigned to a subject
attribute:urn:custom:resource:subject-id
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
http://www.w3.org/2001/XMLSchema#string
urn:custom:resource:subject-id
null
#if role is treated as resource, e.g., if a role is assigned to a subject
attribute:urn:custom:resource:role
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
http://www.w3.org/2001/XMLSchema#string
urn:custom:resource:role
null
#
attribute:urn:runEx:subject:qualifications
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
http://www.w3.org/2001/XMLSchema#string
urn:runEx:subject:qualifications
null
attribute:urn:runEx:subject:departments
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
http://www.w3.org/2001/XMLSchema#string
urn:runEx:subject:departments
null
attribute:urn:custom:resource:creator
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
http://www.w3.org/2001/XMLSchema#string
urn:custom:resource:creator
null
attribute:urn:runEx:patient:treating-departments
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
http://www.w3.org/2001/XMLSchema#string
urn:runEx:patient:treating-departments
null
attribute:urn:runEx:patient:treating-subjects
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
http://www.w3.org/2001/XMLSchema#string
urn:runEx:patient:treating-subjects
null
attribute:urn:custom:svnPolicyVersion
urn:oasis:names:tc:xacml:3.0:attribute-category:environment
http://www.w3.org/2001/XMLSchema#integer
urn:custom:svnPolicyVersion
null
attribute:urn:activePolicies
urn:oasis:names:tc:xacml:3.0:attribute-category:environment
http://www.w3.org/2001/XMLSchema#string
urn:activePolicies
null
attribute:urn:resource:activePolicies
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
http://www.w3.org/2001/XMLSchema#string
urn:resource:activePolicies
null
#
# DEPENDENCIES
#
# role assignment: to retrieve roles at runtime, resolve subject-id
dependency:urn:runEx:role:assignment
urn:custom:subject:role -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
urn:custom:subject:role -> urn:custom:resource:role
urn:oasis:names:tc:xacml:1.0:subject:subject-id -> urn:custom:resource:subject-id
# activation of policies: no dependent attributes
dependency:urn:runEx:activePolicies
urn:activePolicies -> null
urn:activePolicies -> urn:resource:activePolicies
#breakGlassState:urn:breakGlass:patient-subjDep
#urn:breakGlass:patient-subjDep -> urn:runEx:subject:departments, todo:patientid
#dependency:urn:custom:subject:role -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
#dependency:urn:runEx:subject:qualifications -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
#dependency:urn:runEx:subject:departments -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
#dependency:urn:custom:resource:creator -> urn:oasis:names:tc:xacml:1.0:resource:resource-id
#dependency:urn:runEx:patient:treating-departments ->
#dependency:

79
src/eu.aniketos.securebpmn.xacml.pdpstate/src/test/java/eu/aniketos/securebpmn/xacml/pdpstate/PDPStateManagementFoo.java Normal file
View File

@ -0,0 +1,79 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate;
import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.List;
import java.util.Properties;
import junit.framework.Test;
import junit.framework.TestSuite;
import org.apache.log4j.PropertyConfigurator;
public class PDPStateManagementFoo {
private static PDPStateManagementFoo pdpStateMgt;
/**
* @param args
* @throws IOException
* @throws FileNotFoundException
* @throws InterruptedException
*/
public static void main(String[] args) throws FileNotFoundException, IOException, InterruptedException {
// Properties log4jProps = new Properties();
// log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
// PropertyConfigurator.configure(log4jProps);
//
// pdpStateMgt = PDPStateManagement.getInstance();
//
// pdpStateMgt.addRole("Alice", "Nurse");
// pdpStateMgt.addRole("Bob", "Doctor");
// pdpStateMgt.addRole("Bob", "Nurse");
// pdpStateMgt.addRole("Bob", "Admin");
// printRoles("Bob");
//
// pdpStateMgt.removeRole("Bob", "Admin");
//
// printRoles("Bob");
// printRoles("Alice");
// pdpStateMgt.addRole("Bob", "Admin");
//
// printRoles("Bob");
}
private static void printRoles(String subjectId) {
// List<String> roles = pdpStateMgt.getRoles(subjectId);
// System.out.print("Roles of " + subjectId + ": ");
// for (String role : roles) {
// System.out.print(role + ", ");
// }
// System.out.println("");
}
}

209
src/eu.aniketos.securebpmn.xacml.pdpstate/src/test/java/eu/aniketos/securebpmn/xacml/pdpstate/PDPStateStartup.java Normal file
View File

@ -0,0 +1,209 @@
/* Copyright 2012-2015 SAP SE
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package eu.aniketos.securebpmn.xacml.pdpstate;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URI;
import java.util.Date;
import java.util.List;
import java.util.Properties;
import java.util.Vector;
import org.apache.log4j.Logger;
import org.apache.log4j.PropertyConfigurator;
import com.sun.xacml.Constants;
import com.sun.xacml.attr.TypeIdentifierConstants;
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment;
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType;
import eu.aniketos.securebpmn.xacml.pdpstate.db.HibernateUtil;
public class PDPStateStartup {
private static final Logger logger = Logger.getLogger(PDPStateStartup.class);
public static PDPState pdpState;
/**
* @param args
* @throws IOException
* @throws FileNotFoundException
*/
public static void main(String[] args) throws FileNotFoundException, IOException {
Properties log4jProps = new Properties();
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
PropertyConfigurator.configure(log4jProps);
copyConfForTest();
pdpState = PDPState.getInstance();
//HibernateUtil hUtil = pdpState.getHibernateUtil();
List<String> values;
//checkRoleAttrType(hUtil);
//checkRoleAttrType(hUtil);
addRoleAssignment("alice", "Nurse");
addRoleAssignment("dave", "Doctor");
addRoleAssignment("dave", "Nurse");
addSubjectDepartment("alice", "Interne");
addSubjectDepartment("dave", "Chirurgie");
//pdpState.test();
values = getRoles("alice");
System.out.print("roles for alice: ");
for ( String value : values) {
System.out.print(value + ", ");
}
System.out.println("");
values = getRoles("dave");
System.out.print("roles for dave: ");
for ( String value : values) {
System.out.print(value + ", ");
}
System.out.println("");
addDummyAssignment("val1", "key1_1", "key2_1");
addDummyAssignment("val2", "key1_1", "key2_1");
addDummyAssignment("val3", "key1_2", "key2_1");
addDummyAssignment("val4", "key1_1", "key2_2");
values = getDummyAssignment("key1_2", "key2_1");
System.out.print("dummy assignment for key1_1/key2_1: ");
for ( String value : values) {
System.out.print(value + ", ");
}
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
contextAttrs.add(new AuthoAttribute(subjetIdentifier, "alice"));
//return pdpState.getAttribute(roleIdentifier, contextAttrs)
List<Long> assigns = pdpState.getAssignmentIds(roleIdentifier, "Nurse", contextAttrs, new Date(), new Date());
for ( Long id : assigns ) {
System.out.println("assigned id " + id);
}
}
/**
* checks if the role assignment is already defined => subject-roles requiring subject-id
* @param hUtil
*/
public static void checkRoleAttrType(HibernateUtil hUtil) {
logger.debug("Create role AttrId");
AttributeIdentifier roleId = new AttributeIdentifier(Constants.SUBJECT_CAT, URI.create("subject-roles"), TypeIdentifierConstants.STRING_URI, null);
AttributeType attrType = hUtil.getAttributeType(roleId);
if ( attrType != null ) {
logger.debug("attrType role already exisits and has " + attrType.getCtxTypes().size() + " contextTypes");
} else {
List<AttributeIdentifier> contextAttrs = new Vector<AttributeIdentifier>();
contextAttrs.add(new AttributeIdentifier(Constants.SUBJECT_CAT, Constants.SUBJECT_ID, TypeIdentifierConstants.STRING_URI, null));
attrType = hUtil.addAttributeType(roleId, contextAttrs);
logger.debug("added role");
}
logger.debug("attrType role has id " + attrType.getId());
}
public static AttributeIdentifier roleIdentifier = new AttributeIdentifier(Constants.SUBJECT_CAT, URI.create("subject-roles"), TypeIdentifierConstants.STRING_URI, null);
public static AttributeIdentifier subjetIdentifier = new AttributeIdentifier(Constants.SUBJECT_CAT, Constants.SUBJECT_ID, TypeIdentifierConstants.STRING_URI, null);
public static AttributeIdentifier subjDep = new AttributeIdentifier(Constants.SUBJECT_CAT, URI.create("department"), TypeIdentifierConstants.STRING_URI, null);
public static AttributeIdentifier fooIdentifier = new AttributeIdentifier(Constants.SUBJECT_CAT, URI.create("foo"), TypeIdentifierConstants.STRING_URI, null);
public static AttributeAssignment addRoleAssignment(String userId, String role) {
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
contextAttrs.add(new AuthoAttribute(subjetIdentifier, userId));
return pdpState.addAssignment(new AuthoAttribute(roleIdentifier, role), null, null, contextAttrs);
}
public static List<String> getRoles(String userId) {
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
contextAttrs.add(new AuthoAttribute(subjetIdentifier, userId));
return pdpState.getAttribute(roleIdentifier, contextAttrs);
}
public static AttributeAssignment addSubjectDepartment(String userId, String role) {
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
contextAttrs.add(new AuthoAttribute(subjetIdentifier, userId));
return pdpState.addAssignment(new AuthoAttribute(subjDep, role), null, null, contextAttrs);
}
public static AttributeAssignment addDummyAssignment(String foo, String bar, String baz) {
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
contextAttrs.add(new AuthoAttribute(roleIdentifier, bar));
contextAttrs.add(new AuthoAttribute(subjDep, baz));
return pdpState.addAssignment(new AuthoAttribute(subjetIdentifier, foo), null, null, contextAttrs);
}
public static List<String> getDummyAssignment(String bar, String baz) {
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
contextAttrs.add(new AuthoAttribute(roleIdentifier, bar));
contextAttrs.add(new AuthoAttribute(subjDep, baz));
return pdpState.getAttribute(subjetIdentifier, contextAttrs);
}
public static void copyConfForTest() throws IOException {
BufferedInputStream bIS = new BufferedInputStream(new FileInputStream(new File("src/main/resources/hibernate.cfg.xml")));
BufferedOutputStream bOS = new BufferedOutputStream(new FileOutputStream(new File("target/classes/hibernate.cfg.xml")));
byte[] buffer = new byte[4096];
int read = -1;
while ( (read = bIS.read(buffer)) != -1 ) {
bOS.write(buffer, 0, read);
}
bOS.flush();
bOS.close();
bIS = new BufferedInputStream(new FileInputStream(new File("src/main/resources/eu.aniketos.pdpState.xml")));
bOS = new BufferedOutputStream(new FileOutputStream(new File("target/classes/eu.aniketos.pdpState.xml")));
while ( (read = bIS.read(buffer)) != -1 ) {
bOS.write(buffer, 0, read);
}
bOS.flush();
bOS.close();
}
}

19
src/eu.aniketos.securebpmn.xacml.pdpstate/src/test/log4j.properties Normal file
View File

@ -0,0 +1,19 @@
log4j.rootLogger=INFO, console
log4j.appender.logfile=org.apache.log4j.FileAppender
log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
log4j.appender.logfile.layout.ConversionPattern=%d [%t] %-5p %c - %m%n
log4j.appender.logfile.File=${catalina.base}/logs/pdp.log
log4j.appender.console=org.apache.log4j.ConsoleAppender
log4j.appender.console.layout=org.apache.log4j.PatternLayout
log4j.appender.console.layout.ConversionPattern=%-5p %c - %m%n
# %d [%t]
log4j.logger.eu.aniketos=DEBUG
log4j.logger.com.sun.xacml=DEBUG
log4j.logger.org.apache.commons.httpclient.HttpMethodDirector=WARN