Initial commit eu.aniketos.securebpmn.xacml.pdpstate.
This commit is contained in:
parent
4da3d4e4dd
commit
69e1be00be
|
@ -14,6 +14,7 @@
|
|||
<module>../com.sun.xacml.support</module>
|
||||
<module>../eu.aniketos.securebpmn.xacml.api</module>
|
||||
<module>../eu.aniketos.securebpmn.xacml.support</module>
|
||||
<module>../eu.aniketos.securebpmn.xacml.pdpstate</module>
|
||||
</modules>
|
||||
<build>
|
||||
<plugins>
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<parent>
|
||||
<groupId>eu.aniketos.securebpmn.xacml</groupId>
|
||||
<artifactId>eu.aniketos.securebpmn.xacml.parent</artifactId>
|
||||
<version>1.0</version>
|
||||
<relativePath>../eu.aniketos.securebpmn.xacml.parent/pom.xml</relativePath>
|
||||
</parent>
|
||||
<artifactId>eu.aniketos.securebpmn.xacml.pdpstate</artifactId>
|
||||
<version>0.1</version>
|
||||
<packaging>jar</packaging>
|
||||
<name>SecureBPMN XACML - PDP State</name>
|
||||
<url>http://maven.apache.org</url>
|
||||
<properties>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
</properties>
|
||||
<build>
|
||||
<finalName>${artifactId}</finalName>
|
||||
<plugins>
|
||||
<!-- Java 1.5 -->
|
||||
<plugin>
|
||||
<version>2.3.2</version>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-compiler-plugin</artifactId>
|
||||
<configuration>
|
||||
<source>1.5</source>
|
||||
<target>1.5</target>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>junit</groupId>
|
||||
<artifactId>junit</artifactId>
|
||||
<version>[4.8,)</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>log4j</groupId>
|
||||
<artifactId>log4j</artifactId>
|
||||
<version>[1.2,)</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.hibernate</groupId>
|
||||
<artifactId>hibernate-core</artifactId>
|
||||
<version>3.5.4-Final</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>hsqldb</groupId>
|
||||
<artifactId>hsqldb</artifactId>
|
||||
<version>[1,)</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>eu.aniketos.securebpmn.xacml</groupId>
|
||||
<artifactId>eu.aniketos.securebpmn.xacml.api</artifactId>
|
||||
<version>0.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>eu.aniketos.securebpmn.xacml</groupId>
|
||||
<artifactId>eu.aniketos.securebpmn.xacml.support</artifactId>
|
||||
<version>1.0</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>eu.aniketos.securebpmn.xacml</groupId>
|
||||
<artifactId>com.sun.xacml</artifactId>
|
||||
<version>0.1</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</project>
|
|
@ -0,0 +1,168 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeDBIdentifier;
|
||||
|
||||
/**
|
||||
*
|
||||
* This class allows to modify the PDP State directly, i.e.,
|
||||
* without creating an access control request, getting an
|
||||
* urn:custom:notifyPDPState obligation and sending it to
|
||||
* the PDPServer. <br/>
|
||||
* It is intended as class for setting demos, but can also be used
|
||||
* to implement simple scenarios where, e.g., the assignment of roles
|
||||
* is not considered and not policies are therefore available
|
||||
*
|
||||
*/
|
||||
public class DemoPDPStateMgt {
|
||||
|
||||
/*
|
||||
* to modify the pdpState;
|
||||
*/
|
||||
private PDPState pdpState;
|
||||
private Map<String, Dependency> dependencies;
|
||||
|
||||
private static final String ROLEASSIGNMENT = "urn:runEx:role:assignment";
|
||||
private AttributeDBIdentifier roleIdentifier, role_dep1;
|
||||
|
||||
private static final String POLICIES = "urn:runEx:activePolicies";
|
||||
private AttributeDBIdentifier policyIdentifier;
|
||||
|
||||
private static DemoPDPStateMgt instance;
|
||||
|
||||
private static final Logger logger = Logger.getLogger(DemoPDPStateMgt.class);
|
||||
|
||||
|
||||
public static DemoPDPStateMgt getInstance() {
|
||||
return instance;
|
||||
}
|
||||
|
||||
public DemoPDPStateMgt() {
|
||||
instance = this;
|
||||
dependencies = PDPStateManagement.getInstance().getDependencies();
|
||||
pdpState = PDPState.getInstance();
|
||||
|
||||
Dependency roleAssignment = dependencies.get(ROLEASSIGNMENT);
|
||||
if ( roleAssignment == null ) {
|
||||
logger.error("Could not find role assignment definition in the " +
|
||||
"configuration of PDPStateManagement; you have to define " +
|
||||
"the role assignment with key " + ROLEASSIGNMENT + " in " +
|
||||
"the configuration file " + PDPStateManagement.CONFFILE_NAME);
|
||||
throw new RuntimeException("Missing configuration for dependency " + ROLEASSIGNMENT);
|
||||
} else {
|
||||
roleIdentifier = roleAssignment.getAttributeIdentifier();
|
||||
role_dep1 = roleAssignment.getDependingAttributeIdentifier(0);
|
||||
}
|
||||
|
||||
Dependency policiesAssignment = dependencies.get(POLICIES);
|
||||
if ( policiesAssignment == null ) {
|
||||
logger.error("Could not find policy assignment definition in the " +
|
||||
"configuration of PDPStateManagement; you have to define " +
|
||||
"the role assignment with key " + POLICIES + " in " +
|
||||
"the configuration file " + PDPStateManagement.CONFFILE_NAME);
|
||||
throw new RuntimeException("Missing configuration for dependency " + POLICIES);
|
||||
} else {
|
||||
policyIdentifier = policiesAssignment.getAttributeIdentifier();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
public List<String> getRoles(String subjectId) {
|
||||
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
|
||||
contextAttrs.add(new AuthoAttribute(role_dep1, subjectId));
|
||||
return pdpState.getAttribute(roleIdentifier, contextAttrs);
|
||||
}
|
||||
|
||||
public void addRole(String subjectId, String role) {
|
||||
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
|
||||
contextAttrs.add(new AuthoAttribute(role_dep1, subjectId));
|
||||
AuthoAttribute roleAttr = new AuthoAttribute(roleIdentifier, role);
|
||||
// use default dates assigned by PDPState: now for from, ever for to
|
||||
pdpState.addAssignment(roleAttr, null, null, contextAttrs);
|
||||
}
|
||||
|
||||
public void removeRole(String subjectId, String role) {
|
||||
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
|
||||
contextAttrs.add(new AuthoAttribute(role_dep1, subjectId));
|
||||
AuthoAttribute roleAttr = new AuthoAttribute(roleIdentifier, role);
|
||||
|
||||
pdpState.endAssignment(roleAttr, null, contextAttrs);
|
||||
}
|
||||
|
||||
public List<String> getActivePolicies() {
|
||||
return pdpState.getAttribute(policyIdentifier, null);
|
||||
}
|
||||
|
||||
public void addActivePolicy(String policyId) {
|
||||
AuthoAttribute policyAttr = new AuthoAttribute(policyIdentifier, policyId);
|
||||
pdpState.addAssignment(policyAttr, null, null, null);
|
||||
}
|
||||
|
||||
public void removeActivePolicy(String policyId) {
|
||||
AuthoAttribute policyAttr = new AuthoAttribute(policyIdentifier, policyId);
|
||||
pdpState.endAssignment(policyAttr, null, null);
|
||||
}
|
||||
|
||||
// public List<String> getRoles(String subjectId) {
|
||||
// List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
|
||||
// contextAttrs.add(new AuthoAttribute(role_dep1, subjectId));
|
||||
// return pdpState.getAttribute(roleIdentifier, contextAttrs);
|
||||
// }
|
||||
|
||||
// public List<String> getQualifications(String subjectId) {
|
||||
// //TODO
|
||||
// return null;
|
||||
//}
|
||||
//
|
||||
//public void addQualifications(String subjectId, String qualification) {
|
||||
// //TODO qualification
|
||||
//}
|
||||
//
|
||||
//public void removeQualification(String subjectId, String qualification) {
|
||||
// //TODO
|
||||
//}
|
||||
//
|
||||
//public void createResource(URI resource, String creator) {
|
||||
//
|
||||
//}
|
||||
//
|
||||
//public String getCreator(URI resource) {
|
||||
// return null;
|
||||
//}
|
||||
//
|
||||
//public List<String> getDepartments(String subjectId) {
|
||||
// //TODO
|
||||
// return null;
|
||||
//}
|
||||
//
|
||||
//public void addDepartment(String subjectId, String department) {
|
||||
// //TODO qualification
|
||||
//}
|
||||
//
|
||||
//public void removeDepartment(String subjectId, String department) {
|
||||
// //TODO
|
||||
//}
|
||||
|
||||
}
|
|
@ -0,0 +1,327 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate;
|
||||
|
||||
import java.io.BufferedReader;
|
||||
import java.io.IOException;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.StringTokenizer;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.api.ErrorType;
|
||||
import eu.aniketos.securebpmn.xacml.api.ReasonType;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.DesignatorAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.api.log.AccessControlRequest;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeDBIdentifier;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.HibernateUtil;
|
||||
|
||||
/**
|
||||
*
|
||||
* This class stores the types of known assignments and how to retrieve
|
||||
* the required information from an XACML request. For example, consider a role
|
||||
* assignment. The configuration might look like this:<br/>
|
||||
* dependency:runEx:role:assignment <br/>
|
||||
* urn:custom:subject:role -> urn:oasis:names:tc:xacml:1.0:subject:subject-id<br/>
|
||||
* urn:custom:subject:role -> attribute:urn:custom:resource:role<br/>
|
||||
* urn:oasis:names:tc:xacml:1.0:subject:subject-id -> urn:custom:resource:subject-id<br/>
|
||||
* <br/>
|
||||
* This config says:
|
||||
* <ul>
|
||||
* <li> define a dependency for the resource (in the XACML policy) runEx:role:assignment</li>
|
||||
* <li> to retrieve a role, one needs the subject-id (those are keys
|
||||
* which have to be defined in the configuration file first)</li>
|
||||
* <li> the attributes for role (urn:custom:subject:role) can be retrieved by getting
|
||||
* all attribute:urn:custom:resource:role attributes from the XACML request</li>
|
||||
* <li> the attribute for subject-Id (urn:oasis:names:tc:xacml:1.0:subject:subject-id) can be retrieved
|
||||
* by getting all urn:custom:resource:subject-id attribues from the XACML request</li>
|
||||
* </ul>
|
||||
*
|
||||
*/
|
||||
public class Dependency {
|
||||
|
||||
/**
|
||||
* resource for which this assignment is valid (as defined in the configuration file)
|
||||
* e.g., urn:role:assignment
|
||||
*/
|
||||
private String resourceKey;
|
||||
|
||||
|
||||
private AttributeType type;
|
||||
|
||||
/**
|
||||
* all pdpStateDependencies have to be retrieved from an XACML request;
|
||||
* this map defines which attribute has to be retrieved from the XACML request (value)
|
||||
* and assigned to which attribute stored in the db (key).
|
||||
*
|
||||
* Note that the attributes in the XACML have to be different, e.g., when
|
||||
* assigning a role, one cannot use the role attribute to define the to be assigned roles,
|
||||
* i.e., the roles have to treated as resource; so is the subject-id for the role assignment.
|
||||
*/
|
||||
private Map<AttributeDBIdentifier, AttributeDBIdentifier> requestDependencies;
|
||||
|
||||
|
||||
private static Logger logger = Logger.getLogger(Dependency.class);
|
||||
|
||||
|
||||
public Dependency(String key, AttributeType type,
|
||||
Map<AttributeDBIdentifier, AttributeDBIdentifier> requestDependencies) {
|
||||
this.resourceKey = key;
|
||||
this.type = type;
|
||||
this.requestDependencies = requestDependencies;
|
||||
}
|
||||
|
||||
|
||||
public List<ContextAttribute> getDependingAttributes() {
|
||||
return type.getCtxTypes();
|
||||
}
|
||||
|
||||
public AttributeDBIdentifier getDependingAttributeIdentifier(int index) {
|
||||
return type.getCtxTypes().get(index).getAttrId();
|
||||
}
|
||||
|
||||
public AttributeDBIdentifier getAttributeIdentifier() {
|
||||
return type.getAttrType();
|
||||
}
|
||||
|
||||
public String getResourceKey() {
|
||||
return resourceKey;
|
||||
}
|
||||
|
||||
/**
|
||||
* creates a new Assignment based on the configuration file and assures that
|
||||
* there are no conflicting definitions within the database.
|
||||
*
|
||||
* @param resource
|
||||
* @param reader
|
||||
* @param attributes
|
||||
* @return
|
||||
* @throws IOException
|
||||
* @throws SyntaxError
|
||||
*/
|
||||
public static Dependency readAssignment(String resource, BufferedReader reader,
|
||||
Map<String, AttributeDBIdentifier> attributes, HibernateUtil dbUtil) throws IOException, SyntaxError {
|
||||
// get the dependency definition line, e.g., urn:custom:subject:role -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
|
||||
String dependency = reader.readLine();
|
||||
int m = dependency.indexOf("->");
|
||||
if ( m == -1 ) {
|
||||
throw new SyntaxError("Missing assignment -> ");
|
||||
}
|
||||
// get the attribute for which the dependency is defined - key points to a attribute: definition
|
||||
String key = dependency.substring(0, m).trim();
|
||||
AttributeDBIdentifier dbKey = attributes.get(key);
|
||||
if ( dbKey == null ) {
|
||||
logger.error("Creating Dependency " + resource +", but Attribute with key " + key + " is not defined so far");
|
||||
throw new SyntaxError("Attribute with key " + key + " is not defined so far");
|
||||
}
|
||||
if (logger.isDebugEnabled() ) {
|
||||
logger.debug("Creating Dependency " + resource + " for attribute " + key + " -> " + dbKey.toString());
|
||||
}
|
||||
|
||||
// read all dependencies for this attribute and create or get AttributeType based on those definitions
|
||||
List<AttributeIdentifier> dependencies = new Vector<AttributeIdentifier>(); //bullshit, but cannot cast from List<AttributeDBIdentifier> to List<AttributeIdentifier>
|
||||
// also keep track of all defined dependencies, as they are needed afterwards
|
||||
List<String> dependencyKeys = new Vector<String>();
|
||||
dependencyKeys.add(key);
|
||||
boolean noDependency = false;
|
||||
StringTokenizer tokenizer = new StringTokenizer(dependency.substring(m + 2), ",");
|
||||
while (tokenizer.hasMoreTokens()) {
|
||||
String token = tokenizer.nextToken().trim();
|
||||
if ( ! (token.length() == 0) ) {
|
||||
if ( dependencies.size() == 0 && "null".equals(token) ) {
|
||||
// some attributes may not depend on any other attribute, but they have to define this, i.e., write attributeKey -> null
|
||||
noDependency = true;
|
||||
} else {
|
||||
AttributeDBIdentifier dependent = attributes.get(token);
|
||||
if ( dependent == null ) {
|
||||
logger.error("Creating Dependency " + resource +", but Attribute with key " + dependent + " is not defined so far");
|
||||
throw new SyntaxError("Attribute with key " + dependent + " is not defined so far");
|
||||
} else {
|
||||
// dependencies_delete.add(dependent);
|
||||
dependencies.add(dependent);
|
||||
dependencyKeys.add(token);
|
||||
if ( logger.isDebugEnabled() ) {
|
||||
logger.debug("Found dependency to attribute " + token + ", referencing to " + dependent.toString());
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if ( dependencies.size() == 0 && ! noDependency) {
|
||||
logger.error("For dependency " + resource + " (attribute " + key + " no dependencies are defined");
|
||||
throw new SyntaxError("No dependency is defined");
|
||||
}
|
||||
|
||||
AttributeType type = dbUtil.addAttributeType(dbKey, dependencies);
|
||||
if ( type == null ) {
|
||||
logger.warn("Could not retrieve AttributeType for configuration of assignment " + dbKey + ": different definition already exists");
|
||||
throw new SyntaxError("Invalid configuration: Different definition already exists");
|
||||
} else if (logger.isDebugEnabled() ) {
|
||||
logger.debug("Got AttributeType with id " + type.getId() + " for dependency:" + resource);
|
||||
}
|
||||
/* ok, we got the AttributeType definition for this dependency, now
|
||||
* we have to get the information which element from a XACML request has to be retrieved
|
||||
* to update the PDPState accordingly
|
||||
*/
|
||||
Map<AttributeDBIdentifier, AttributeDBIdentifier> requestDependencies = new HashMap<AttributeDBIdentifier, AttributeDBIdentifier>();
|
||||
for ( String dep : dependencyKeys ) {
|
||||
String confLine = readValueLine(reader);
|
||||
m = confLine.indexOf("->");
|
||||
String dbAttr, requAttr;
|
||||
dbAttr = confLine.substring(0, m).trim();
|
||||
requAttr = confLine.substring(m + 2, confLine.length()).trim();
|
||||
|
||||
if ( ! dbAttr.equals(dep)) {
|
||||
throw new SyntaxError("Invalid assignment: expected assignment for " + dep + " (line: " + confLine + ")");
|
||||
} else {
|
||||
AttributeDBIdentifier requDBAttr = attributes.get(requAttr);
|
||||
if ( requDBAttr == null ) {
|
||||
throw new SyntaxError("Attribute with key " + requAttr + " is not defined so far");
|
||||
} else {
|
||||
requestDependencies.put(attributes.get(dbAttr), requDBAttr);
|
||||
if ( logger.isDebugEnabled() ) {
|
||||
logger.debug("XACML request attr " + requAttr + " is mapped to " + dbAttr + " (" + requDBAttr + " -> " + attributes.get(dbAttr) + ")");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return new Dependency(resource, type, requestDependencies);
|
||||
}
|
||||
|
||||
private static String readValueLine(BufferedReader reader) throws IOException, SyntaxError {
|
||||
String line = reader.readLine().trim();
|
||||
if ( line.startsWith("#") ) {
|
||||
return readValueLine(reader);
|
||||
} else {
|
||||
return line;
|
||||
}
|
||||
}
|
||||
|
||||
private List<String> getValues(AccessControlRequest request, AttributeDBIdentifier attr) {
|
||||
List<String> values = new Vector<String>();
|
||||
|
||||
for ( DesignatorAttribute designAttr : request.getDesignatorAttributes()) {
|
||||
if ( designAttr.getAttrId().equals(attr)) {
|
||||
values.addAll(designAttr.getValues());
|
||||
// break; // should be ok, as only one entry for one attr should be there.. anyhow
|
||||
}
|
||||
}
|
||||
for ( AuthoAttribute authoAttr : request.getAttributes()) {
|
||||
if ( authoAttr.getAttributeIdentifier().equals(attr)) {
|
||||
values.add(authoAttr.getValue());
|
||||
}
|
||||
}
|
||||
return values;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* This functions receives an executed and recorded AccessControlRequest and
|
||||
* reads all needed values from the xacml request and stores the according
|
||||
* state changes to the PDPState
|
||||
* @param request
|
||||
* @param pdpState
|
||||
* @throws SecurityError
|
||||
*/
|
||||
public void writeStateChange(AccessControlRequest request, PDPState pdpState) throws SecurityError {
|
||||
|
||||
// get the values we should assign from the request
|
||||
List<String> assignValues = getValues(request, requestDependencies.get(type.getAttrType()));
|
||||
if ( assignValues.size() == 0 ) {
|
||||
logger.error("Nothing found in the request " + request.getEvaluationId().longValue());
|
||||
throw new SecurityError(ErrorType.CONFIGURATION_ERROR, ReasonType.PDE_ENGINE_ERROR,
|
||||
"Request " + request.getEvaluationId() + " did not contain the required information");
|
||||
}
|
||||
|
||||
if ( logger.isDebugEnabled() ) {
|
||||
StringBuffer message = new StringBuffer("Found " + assignValues.size() + " value(s) (");
|
||||
for (String value : assignValues ) {
|
||||
message.append(value + ", ");
|
||||
}
|
||||
message.append(") to write to the PDP state for " + this.resourceKey + " (" + this.type.getCtxTypes().size() + " depending ctx Attribute(s))");
|
||||
logger.debug(message.toString());
|
||||
}
|
||||
|
||||
// depending on the number of context attributes, we have to retrieve those values from the request
|
||||
// and create the according assignment for the PDP state
|
||||
if ( type.getCtxTypes().size() == 0 ) {
|
||||
for ( String value : assignValues ) {
|
||||
//pdpState.addAssignment(type, value, null, null, null);
|
||||
pdpState.addAssignment(new AuthoAttribute(type.getAttrType(), value), null, null, null);
|
||||
}
|
||||
logger.info("Added " + assignValues.size() + " assignments for " + type.getAttrType() + " to the PDPState");
|
||||
} else if ( type.getCtxTypes().size() == 1 ) {
|
||||
// we have the AttributeType which tells us how much context Attributes we need;
|
||||
// from this, we can get the attribute identifier which identifies the attributes in the xacml request
|
||||
AttributeDBIdentifier ctxAttrType = requestDependencies.get(type.getCtxTypes().get(0).getAttrId());
|
||||
// get the according values
|
||||
List<String> ctxValues = getValues(request, ctxAttrType);
|
||||
// if there are no values, there is something wrong; terminate
|
||||
if ( ctxValues == null || ctxValues.size() == 0 ) {
|
||||
logger.error("Could not find values for contextAttribute " + ctxAttrType + " in the request");
|
||||
throw new SecurityError(ErrorType.CONFIGURATION_ERROR, ReasonType.PDE_ENGINE_ERROR,
|
||||
"Request " + request.getEvaluationId() + " did not contain the required information");
|
||||
} else if ( logger.isDebugEnabled() ) {
|
||||
StringBuffer message = new StringBuffer("Found " + ctxValues.size() + " value(s) (");
|
||||
for (String value : ctxValues ) {
|
||||
message.append(value + ", ");
|
||||
}
|
||||
message.append(") for " + ctxAttrType.toString());
|
||||
logger.debug(message.toString());
|
||||
}
|
||||
|
||||
for ( String value: assignValues ) {
|
||||
AuthoAttribute valueAttr = new AuthoAttribute(type.getAttrType(), value);
|
||||
for ( String ctxValue : ctxValues ) {
|
||||
List<AuthoAttribute> ctxAttr = new Vector<AuthoAttribute>();
|
||||
ctxAttr.add(new AuthoAttribute(type.getCtxTypes().get(0).getAttrId(), ctxValue));
|
||||
pdpState.addAssignment(valueAttr, null, null, ctxAttr);
|
||||
}
|
||||
}
|
||||
logger.info("Added " + (assignValues.size()*ctxValues.size()) + " assignments for " + type.getAttrType() + " to the PDPState");
|
||||
} else {
|
||||
// here, we do for now only allow one value for every context attribute
|
||||
List<AuthoAttribute> ctxAttrs = new Vector<AuthoAttribute>();
|
||||
List<String> ctxValues;
|
||||
|
||||
for ( ContextAttribute ctxAttr : type.getCtxTypes() ) {
|
||||
ctxValues = getValues(request, ctxAttr.getAttrId());
|
||||
if ( ctxValues.size() != 1) {
|
||||
logger.error("Expected 1 value for " + ctxAttr.getAttrId() + " in request " +
|
||||
request.getEvaluationId() + ", but found " + ctxValues.size());
|
||||
throw new SecurityError(ErrorType.CONFIGURATION_ERROR, ReasonType.PDE_ENGINE_ERROR,
|
||||
"Request " + request.getEvaluationId() + " did not contain the required information");
|
||||
} else {
|
||||
ctxAttrs.add(new AuthoAttribute(ctxAttr.getAttrId(), ctxValues.get(0)));
|
||||
}
|
||||
}
|
||||
|
||||
for ( String value : assignValues ) {
|
||||
pdpState.addAssignment(new AuthoAttribute(type.getAttrType(), value), null, null, ctxAttrs);
|
||||
}
|
||||
logger.info("Added " + assignValues.size() + " assignments for " + type.getAttrType() + " to the PDPState");
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,51 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate;
|
||||
|
||||
public class InvalidAssignmentException extends RuntimeException {
|
||||
|
||||
private static final long serialVersionUID = -387842157062192483L;
|
||||
|
||||
public enum Reason {
|
||||
OVERLAPPING_ASSIGNMENT, //there already exists an assignment
|
||||
INVALID_DATE_NO_TIMEFRAME, //the dates do not spawn a time frame, i.e, from is after to
|
||||
INVALID_DATE_MODIFICATION_OF_PAST, //it is not allowed to do assignments in the past
|
||||
NO_ASSIGNMENT_AVAILABLE, // for the defined contraints (type, time) no such assignment is available
|
||||
INVALID_STATE // worst case - invalid state...
|
||||
}
|
||||
|
||||
private Reason reason;
|
||||
private String message;
|
||||
|
||||
public InvalidAssignmentException(Reason reason) {
|
||||
this.reason = reason;
|
||||
}
|
||||
|
||||
public InvalidAssignmentException(Reason reason, String message) {
|
||||
this.reason = reason;
|
||||
this.message = message;
|
||||
}
|
||||
|
||||
public Reason getReason() {
|
||||
return reason;
|
||||
}
|
||||
|
||||
public String getMessage() {
|
||||
//TODO generate default message according to reason
|
||||
return message;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,490 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.security.InvalidParameterException;
|
||||
import java.sql.Timestamp;
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Vector;
|
||||
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
import org.hibernate.Query;
|
||||
import org.hibernate.Session;
|
||||
import org.hibernate.SessionFactory;
|
||||
import org.hibernate.Transaction;
|
||||
import org.hibernate.cfg.Configuration;
|
||||
import org.w3c.dom.Document;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.InvalidAssignmentException.Reason;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttributeAssignment;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.HibernateUtil;
|
||||
|
||||
/**
|
||||
*
|
||||
* Manages the state of the PDP as it can be retrieved from the PDPStateModule.
|
||||
*
|
||||
* Changes have to be done through this class ans especially through the HibernateUtil,
|
||||
* as here some caching is implemented. Bypassing this caching mechanism will result in
|
||||
* strange errors.
|
||||
*
|
||||
*/
|
||||
public class PDPState {
|
||||
|
||||
private static PDPState instance;
|
||||
public static final String CONFFILE_NAME = "hibernate.pdpState.cfg.xml";
|
||||
|
||||
private SessionFactory factory;
|
||||
private HibernateUtil hibernateUtil;
|
||||
|
||||
private static final Logger logger = Logger.getLogger(PDPState.class);
|
||||
|
||||
private static final String ATTRTYPE = "attrType",
|
||||
VALIDAT = "validAt",
|
||||
VALIDFROM = "validFrom",
|
||||
VALIDTO = "validTo",
|
||||
VALUE = "value",
|
||||
CTXATTRTYP0 = "ctxAttrTypeNull",
|
||||
CTXATTR0 = "ctxAttrNull",
|
||||
CTXATTRTYP1 = "ctxAttrTypeOne",
|
||||
CTXATTR1 = "ctxAttrOne";
|
||||
|
||||
public static PDPState getInstance() {
|
||||
if ( instance == null ) {
|
||||
createInstance();
|
||||
}
|
||||
return instance;
|
||||
}
|
||||
|
||||
private static synchronized void createInstance() {
|
||||
if ( instance == null ) {
|
||||
instance = new PDPState();
|
||||
}
|
||||
}
|
||||
|
||||
private PDPState() {
|
||||
logger.debug("Starting PDPState Server: Creating SessionFactory");
|
||||
factory = buildSessionFactory();
|
||||
factory.openSession();
|
||||
|
||||
logger.debug("Creating HibernateUtil");
|
||||
hibernateUtil = HibernateUtil.createHibernateUtil(factory);
|
||||
|
||||
}
|
||||
|
||||
private SessionFactory buildSessionFactory() {
|
||||
try {
|
||||
|
||||
File confFile = new File(CONFFILE_NAME);
|
||||
if ( ! confFile.exists() ) {
|
||||
// try with conf before...
|
||||
confFile = new File("conf/" +CONFFILE_NAME);
|
||||
}
|
||||
if ( ! confFile.exists() ) {
|
||||
// try from mvn default test location
|
||||
confFile = new File("src/test/resources/" +CONFFILE_NAME);
|
||||
}
|
||||
|
||||
if ( confFile.exists()) {
|
||||
logger.debug("Reading PDPState hibernate configuration from " + confFile.getAbsolutePath());
|
||||
return new Configuration().configure(confFile).buildSessionFactory();
|
||||
}
|
||||
else {
|
||||
logger.warn("Reading PDPState hibernate configuration from jar; You might define a more accurate " + CONFFILE_NAME);
|
||||
BufferedInputStream bIs = new BufferedInputStream(this.getClass().getResourceAsStream( "/" + CONFFILE_NAME));
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
factory.setValidating(false); // do not validate with DTD (and, therefore, do not die offline with an unkown host exception
|
||||
factory.setFeature("http://xml.org/sax/features/namespaces", false);
|
||||
factory.setFeature("http://xml.org/sax/features/validation", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
|
||||
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
Document confDoc = factory.newDocumentBuilder().parse(bIs).getDocumentElement().getOwnerDocument();
|
||||
return new Configuration().configure(confDoc).buildSessionFactory();
|
||||
}
|
||||
}
|
||||
catch (Throwable ex) {
|
||||
ex.printStackTrace();
|
||||
logger.error("Initial SessionFactory creation failed." + ex.getClass().getName() + " - " + ex.getMessage());
|
||||
throw new ExceptionInInitializerError(ex);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public HibernateUtil getHibernateUtil() {
|
||||
return this.hibernateUtil;
|
||||
}
|
||||
|
||||
/**
|
||||
* adds a new attribute type. values in AuthoAttribute are ignored
|
||||
* @param attributeId
|
||||
* @param contextInformation
|
||||
*/
|
||||
public AttributeType addAttributeType(AuthoAttribute attribute, List<AuthoAttribute> contextAttributes) {
|
||||
|
||||
List<AttributeIdentifier> contextIds = null;
|
||||
if ( contextAttributes != null && contextAttributes.size() > 0 ) {
|
||||
contextIds = new Vector<AttributeIdentifier>();
|
||||
for (AuthoAttribute attr : contextAttributes ) {
|
||||
contextIds.add(attr.getAttributeIdentifier());
|
||||
}
|
||||
}
|
||||
return hibernateUtil.addAttributeType(attribute.getAttributeIdentifier(), contextIds);
|
||||
}
|
||||
|
||||
public List<String> getAttribute(AttributeIdentifier attrId, List<AuthoAttribute> contextAttrValues) {
|
||||
return getAttribute(attrId, contextAttrValues, new java.util.Date());
|
||||
}
|
||||
|
||||
public List<String> getAttribute(AttributeIdentifier attrId, List<AuthoAttribute> contextAttrValues, Date validAt) {
|
||||
return getAttribute(attrId, contextAttrValues, new Timestamp(validAt.getTime()));
|
||||
}
|
||||
|
||||
|
||||
public List<String> getAttribute(AttributeIdentifier attrId, List<AuthoAttribute> contextAttrValues, Timestamp validAt) {
|
||||
AttributeType attrType = hibernateUtil.getAttributeType(attrId);
|
||||
List<ContextAttributeAssignment> contextDBAttrs = transformCtxAttr(attrType, contextAttrValues);
|
||||
return getAttribute(attrType, contextDBAttrs, validAt);
|
||||
}
|
||||
|
||||
/**
|
||||
* WARNING: This function performs NO sanity checks, thus, you may get weird behavior
|
||||
* if you provide unchecked and inconsistent parameters.
|
||||
* <br/>
|
||||
*
|
||||
* @param attrType
|
||||
* @param contextDBAttrs
|
||||
* @param validAt
|
||||
* @return
|
||||
*/
|
||||
public List<String> getAttribute(AttributeType attrType, List<ContextAttributeAssignment> contextDBAttrs) {
|
||||
return getAttribute(attrType, contextDBAttrs, new Timestamp(new java.util.Date().getTime()));
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* WARNING: This function performs NO sanity checks, thus, you may get weird behavior
|
||||
* if you provide unchecked and inconsistent parameters.
|
||||
* <br/>
|
||||
*
|
||||
* @param attrType
|
||||
* @param contextDBAttrs
|
||||
* @param validAt
|
||||
* @return
|
||||
*/
|
||||
@SuppressWarnings("unchecked") // needed for List<String> list = query.list();
|
||||
public List<String> getAttribute(AttributeType attrType,
|
||||
List<ContextAttributeAssignment> contextDBAttrs, Timestamp validAt) {
|
||||
|
||||
Session session = factory.getCurrentSession();
|
||||
Transaction t = session.beginTransaction();
|
||||
Query query = null;
|
||||
|
||||
//if ( attrType.getCtxTypes().size() == 0 ) {
|
||||
if ( contextDBAttrs == null || contextDBAttrs.size() == 0 ) {
|
||||
//no context attributes are required, easy case!
|
||||
query = session.getNamedQuery("getAttribute0");
|
||||
} else if ( contextDBAttrs.size() == 1 ) {
|
||||
//only one context attribute is required
|
||||
query = session.getNamedQuery("getAttribute1");
|
||||
query.setParameter(CTXATTRTYP0, contextDBAttrs.get(0).getCtxAttribute());
|
||||
query.setParameter(CTXATTR0, contextDBAttrs.get(0).getValue());
|
||||
} else if ( contextDBAttrs.size() == 2 ) {
|
||||
query = session.getNamedQuery("getAttribute2");
|
||||
query.setParameter(CTXATTRTYP0, contextDBAttrs.get(0).getCtxAttribute());
|
||||
query.setParameter(CTXATTR0, contextDBAttrs.get(0).getValue());
|
||||
query.setParameter(CTXATTRTYP1, contextDBAttrs.get(1).getCtxAttribute());
|
||||
query.setParameter(CTXATTR1, contextDBAttrs.get(1).getValue());
|
||||
} else {
|
||||
throw new RuntimeException("Only two constraining attributes are supported");
|
||||
}
|
||||
query.setParameter(ATTRTYPE, attrType);
|
||||
query.setParameter(VALIDAT, validAt);
|
||||
|
||||
List<String> list = query.list();
|
||||
t.commit();
|
||||
return list;
|
||||
}
|
||||
|
||||
public List<Long> getAssignmentIds(AttributeIdentifier attrId, String value,
|
||||
List<AuthoAttribute> contextAttrValues,
|
||||
Date validFrom, Date validTo) {
|
||||
return getAssignmentIds(attrId, value, contextAttrValues, new Date(validFrom.getTime()), new Date(validTo.getTime()));
|
||||
}
|
||||
|
||||
|
||||
public List<Long> getAssignmentIds(AttributeIdentifier attrId, String value,
|
||||
List<AuthoAttribute> contextAttrValues, Timestamp validFrom, Timestamp validTo) {
|
||||
AttributeType attrType = hibernateUtil.getAttributeType(attrId);
|
||||
List<ContextAttributeAssignment> contextDBAttrs = transformCtxAttr(attrType, contextAttrValues);
|
||||
return getAssignmentIds(attrType, value, contextDBAttrs, validFrom, validTo);
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
public List<Long> getAssignmentIds(AttributeType attrType, String value,
|
||||
List<ContextAttributeAssignment> contextDBAttrs, Date validFrom, Date validTo) {
|
||||
/* Task: get all IDs which are within the boundaries defined by :validFrom and :validTo
|
||||
* Idea:
|
||||
* exclude those which are not within the boundaries, i.e., one of (OR)
|
||||
* 1) both a.validFrom and a.validTo lie before :validFrom
|
||||
* 2) both a.validFrom and a.validTo lie after :validTo
|
||||
* thus,
|
||||
* NOT ( ( a.validFrom < :validFrom AND a.validTo < :validTo) OR
|
||||
* ( a.validFrom > :validFrom AND a.validTo > :validTo) )
|
||||
* resolving the NOT:
|
||||
* (a.validFrom >= :validFrom OR a.validTo >= :validTo) AND
|
||||
* (a.validFrom <= :validFrom OR a.validTo <= :validTo)
|
||||
*
|
||||
* TODO make version from arni
|
||||
* a.validFrom <= :validTo AND a.validTo >= :validFrom
|
||||
*/
|
||||
|
||||
Session session = factory.getCurrentSession();
|
||||
Transaction t = session.beginTransaction();
|
||||
Query query = null;
|
||||
|
||||
if ( contextDBAttrs == null || contextDBAttrs.size() == 0 ) {
|
||||
query = session.getNamedQuery("getAssignmentIds0");
|
||||
} else if ( contextDBAttrs.size() == 1) {
|
||||
query = session.getNamedQuery("getAssignmentIds1");
|
||||
query.setParameter(CTXATTRTYP0, contextDBAttrs.get(0).getCtxAttribute());
|
||||
query.setParameter(CTXATTR0, contextDBAttrs.get(0).getValue());
|
||||
} else if ( contextDBAttrs.size() == 2) {
|
||||
query = session.getNamedQuery("getAssignmentIds2");
|
||||
query.setParameter(CTXATTRTYP0, contextDBAttrs.get(0).getCtxAttribute());
|
||||
query.setParameter(CTXATTR0, contextDBAttrs.get(0).getValue());
|
||||
query.setParameter(CTXATTRTYP1, contextDBAttrs.get(1).getCtxAttribute());
|
||||
query.setParameter(CTXATTR1, contextDBAttrs.get(1).getValue());
|
||||
}else {
|
||||
throw new RuntimeException("Only two constraining attributes are supported");
|
||||
}
|
||||
query.setParameter(ATTRTYPE, attrType);
|
||||
query.setParameter(VALIDFROM, validFrom);
|
||||
query.setParameter(VALIDTO, validTo);
|
||||
query.setParameter(VALUE, value);
|
||||
|
||||
List<Long> list = query.list();
|
||||
t.commit();
|
||||
return list;
|
||||
}
|
||||
|
||||
public AttributeAssignment addAssignment(AuthoAttribute attribute,
|
||||
Date validFrom, Date validTo, List<AuthoAttribute> contextAttributes) {
|
||||
return addAssignment(attribute,
|
||||
validFrom == null ? null : new Timestamp(validFrom.getTime()),
|
||||
validTo == null ? null : new Timestamp(validTo.getTime()), contextAttributes);
|
||||
//return addAssignment(attribute, new Date(validFrom.getTime()), new Date(validTo.getTime()), contextAttributes);
|
||||
}
|
||||
|
||||
public AttributeAssignment addAssignment(AuthoAttribute attribute,
|
||||
Timestamp validFrom, Timestamp validTo, List<AuthoAttribute> contextAttributes)
|
||||
throws InvalidAssignmentException {
|
||||
AttributeType attrType = hibernateUtil.getAttributeType(attribute.getAttributeIdentifier());
|
||||
if ( attrType == null ) {
|
||||
logger.info("AttributeType is not jet known by PDPState. Creating new AttributeType for attribute " + attribute.getAttributeIdentifier());
|
||||
attrType = addAttributeType(attribute, contextAttributes);
|
||||
}
|
||||
// transform input to values with db IDs
|
||||
List<ContextAttributeAssignment> contextDBAttrs = transformCtxAttr(attrType, contextAttributes);
|
||||
return addAssignment(attrType, attribute.getValue(), validFrom, validTo, contextDBAttrs);
|
||||
}
|
||||
|
||||
|
||||
public AttributeAssignment addAssignment(AttributeType attrType,
|
||||
String value, Timestamp validFrom, Timestamp validTo,
|
||||
List<ContextAttributeAssignment> contextDBAttrs) {
|
||||
|
||||
AttributeAssignment assignment = new AttributeAssignment();
|
||||
assignment.setValue(value);
|
||||
assignment.setValidFrom(validFrom);
|
||||
assignment.setValidTo(validTo);
|
||||
|
||||
if ( assignment.getValidFrom().after(assignment.getValidTo()) ) {
|
||||
throw new InvalidAssignmentException(Reason.INVALID_DATE_NO_TIMEFRAME);
|
||||
}
|
||||
if ( new Date(new java.util.Date().getTime() - 60*1000).after(assignment.getValidFrom())) {
|
||||
throw new InvalidAssignmentException(Reason.INVALID_DATE_MODIFICATION_OF_PAST);
|
||||
}
|
||||
|
||||
logger.info("Adding assignment with value \"" + value + "\" for " + attrType.getAttrType().toString());
|
||||
logger.debug("Checking that there is no existing attribute in the defined time period");
|
||||
List<Long> assignedIds = getAssignmentIds(attrType, value, contextDBAttrs, validFrom, validTo);
|
||||
if ( assignedIds != null && assignedIds.size() > 0 ) {
|
||||
String message = "There are already " + assignedIds.size() + " assignment(s) within the defined scope and time frame";
|
||||
logger.error(message);
|
||||
throw new RuntimeException(message);
|
||||
}
|
||||
|
||||
assignment.setAttrType(attrType);
|
||||
assignment.setCtxAttrAssignments(contextDBAttrs);
|
||||
|
||||
if ( contextDBAttrs != null ) {
|
||||
for ( ContextAttributeAssignment attr : contextDBAttrs ) {
|
||||
attr.setAttrAssignment(assignment);
|
||||
}
|
||||
}
|
||||
|
||||
Session session = factory.getCurrentSession();
|
||||
Transaction tx = session.beginTransaction();
|
||||
session.save(assignment);
|
||||
tx.commit();
|
||||
|
||||
return assignment;
|
||||
}
|
||||
|
||||
public void endAssignment(AuthoAttribute attribute, Date validTo,
|
||||
List<AuthoAttribute> contextAttrValues) {
|
||||
endAssignment(attribute, validTo == null ? null : new Date(validTo.getTime()), contextAttrValues);
|
||||
}
|
||||
|
||||
public void endAssignment(AuthoAttribute attribute, Timestamp validTo,
|
||||
List<AuthoAttribute> contextAttrValues) {
|
||||
AttributeType attrType = hibernateUtil.getAttributeType(attribute.getAttributeIdentifier());
|
||||
List<ContextAttributeAssignment> contextDBAttrs = transformCtxAttr(attrType, contextAttrValues);
|
||||
endAssignment(attrType, attribute.getValue(), validTo, contextDBAttrs);
|
||||
}
|
||||
|
||||
|
||||
public void endAssignment(AttributeType attrType,
|
||||
String value, Timestamp validTo,
|
||||
List<ContextAttributeAssignment> contextDBAttrs){
|
||||
if ( validTo == null ) {
|
||||
//per default, end assignment with now
|
||||
validTo = new Timestamp(new java.util.Date().getTime());
|
||||
} else if ( new Date(new java.util.Date().getTime() - 1000).after(validTo)) {
|
||||
logger.error("It is not permitted to end an assignment in the past");
|
||||
throw new InvalidAssignmentException(Reason.INVALID_DATE_MODIFICATION_OF_PAST);
|
||||
}
|
||||
|
||||
//Date now = new Date(new java.util.Date().getTime());
|
||||
List<Long> ids = getAssignmentIds(attrType, value, contextDBAttrs, validTo, validTo);
|
||||
|
||||
if ( ids.size() == 0 ) {
|
||||
logger.error("There is no assignment which could be ended");
|
||||
throw new InvalidAssignmentException(Reason.NO_ASSIGNMENT_AVAILABLE);
|
||||
} else if (ids.size() > 1) {
|
||||
logger.fatal("There are several assignments valid at one time: TODO log details");
|
||||
throw new InvalidAssignmentException(Reason.INVALID_STATE);
|
||||
}
|
||||
|
||||
Session session = factory.getCurrentSession();
|
||||
Transaction tx = session.beginTransaction();
|
||||
//TODO check before in the same session?
|
||||
AttributeAssignment attrAssign = (AttributeAssignment) session.get(AttributeAssignment.class, ids.get(0));
|
||||
attrAssign.setValidTo(validTo);
|
||||
session.update(attrAssign);
|
||||
tx.commit();
|
||||
}
|
||||
|
||||
public String replaceValue() {
|
||||
//TODO for assignment where only one value at one point in time is valid
|
||||
// e.g. active policy version
|
||||
//
|
||||
|
||||
//return old value
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* This function does mainly two things: first, the attribute definitions which are contained in
|
||||
* contextAttributes are transfered to a List of ContextAttributeAssignment (i.e., containing
|
||||
* a reference to the actual ContextAttribute). Second, a sanity check is done, i.e., if the attributes
|
||||
* defined by contextAttributes match to the required contextAttributes defined for the
|
||||
* attributeType
|
||||
* @param attributeType
|
||||
* @param contextAttributes
|
||||
* @return
|
||||
*/
|
||||
protected List<ContextAttributeAssignment> transformCtxAttr(AttributeType attributeType, List<AuthoAttribute> contextAttributes) {
|
||||
|
||||
// check if meta info defined by AttributeType defines same size of contextAttributes as provided
|
||||
if ( (attributeType.getCtxTypes() == null ? 0 : attributeType.getCtxTypes().size())
|
||||
!= (contextAttributes == null ? 0 : contextAttributes.size())) {
|
||||
String message = "AttributeType for " + attributeType.getAttrType() + " defines " +
|
||||
(attributeType.getCtxTypes() == null ? 0 : attributeType.getCtxTypes().size()) + " context attributes, but received " +
|
||||
(contextAttributes == null ? 0 : contextAttributes.size());
|
||||
logger.error("Invalid Assignment: " + message);
|
||||
throw new InvalidParameterException(message);
|
||||
}
|
||||
|
||||
AttributeAssignment assignment = new AttributeAssignment();
|
||||
|
||||
if ( contextAttributes != null && contextAttributes.size() > 0 ) {
|
||||
List<ContextAttributeAssignment> contextDBAttrs = new Vector<ContextAttributeAssignment>();
|
||||
|
||||
//in most cases there will be only one ctx Attribute; implement "fast way"
|
||||
if ( contextAttributes.size() == 1 ) {
|
||||
AuthoAttribute provAttr = contextAttributes.get(0);
|
||||
ContextAttribute ctxAttr = attributeType.getCtxTypes().get(0);
|
||||
//check if required IDs match
|
||||
if ( provAttr.getAttributeIdentifier().hashCode() !=
|
||||
ctxAttr.getAttrId().hashCode()) {
|
||||
String message = "AttributeType for " + attributeType.getAttrType() + " defines " +
|
||||
"another required context attribute (" + ctxAttr.getAttrId() +
|
||||
") than provided (" + provAttr.getAttributeIdentifier();
|
||||
logger.error("Invalid Assignment: " + message);
|
||||
throw new InvalidParameterException(message);
|
||||
} else {
|
||||
contextDBAttrs.add(new ContextAttributeAssignment(provAttr.getValue(), ctxAttr, assignment));
|
||||
return contextDBAttrs;
|
||||
}
|
||||
} else {
|
||||
Map<AttributeIdentifier, ContextAttribute> tmpMap = new HashMap<AttributeIdentifier, ContextAttribute>();
|
||||
for ( ContextAttribute ctxAttr : attributeType.getCtxTypes() ) {
|
||||
tmpMap.put(ctxAttr.getAttrId(), ctxAttr);
|
||||
}
|
||||
for ( AuthoAttribute attrValue : contextAttributes ) {
|
||||
if ( tmpMap.containsKey(attrValue.getAttributeIdentifier()) ) {
|
||||
ContextAttribute ctxAttr = tmpMap.get(attrValue.getAttributeIdentifier());
|
||||
contextDBAttrs.add(new ContextAttributeAssignment(attrValue.getValue(), ctxAttr, assignment));
|
||||
} else {
|
||||
String message = "AttributeType " + attributeType.getAttrType() +
|
||||
" does not require the context attribute " + attrValue.getAttributeIdentifier();
|
||||
logger.error("Invalid Assignment: " + message);
|
||||
throw new InvalidParameterException(message);
|
||||
}
|
||||
}
|
||||
return contextDBAttrs;
|
||||
}
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
// session.createQuery("SELECT a.id FROM " +
|
||||
// AttributeAssignment.class.getName() + " AS a " +
|
||||
// " INNER JOIN a.ctxAttrAssignments as c " +
|
||||
// " WHERE a.attrType = :attrType " +
|
||||
// " AND ( ( a.validFrom >= :validFrom OR a.validTo >= :validTo ) AND " +
|
||||
// " ( a.validFrom <= :validFrom OR a.validTo <= :validTo ) ) " +
|
||||
// " AND a.value = :value " +
|
||||
// " AND c.ctxAttribute = :ctxAttrTypeNull " +
|
||||
// " AND c.value = :ctxAttrNull");
|
||||
}
|
|
@ -0,0 +1,239 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.BufferedReader;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.InputStreamReader;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import java.util.Properties;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.api.ErrorType;
|
||||
import eu.aniketos.securebpmn.xacml.api.ReasonType;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.IPDPStateManagement;
|
||||
import eu.aniketos.securebpmn.xacml.api.log.AccessControlRequest;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeDBIdentifier;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.HibernateUtil;
|
||||
|
||||
public class PDPStateManagement implements IPDPStateManagement {
|
||||
|
||||
private static PDPStateManagement instance;
|
||||
|
||||
private PDPState pdpState;
|
||||
private HibernateUtil dbUtil;
|
||||
//private IPDP pdp;
|
||||
|
||||
private Map<String, AttributeDBIdentifier> attributes = new HashMap<String, AttributeDBIdentifier>();
|
||||
|
||||
private Map<String, Dependency> dependencies = new HashMap<String, Dependency>();
|
||||
//private Map<AttributeDBIdentifier, Assignment> dependencies_remove = new HashMap<AttributeDBIdentifier, Assignment>();
|
||||
|
||||
|
||||
private static Logger logger = Logger.getLogger(PDPStateManagement.class);
|
||||
|
||||
private static final String ATTRIBUTE = "attribute:",
|
||||
DEPENDENCY = "dependency:";
|
||||
public static final String CONFFILE_NAME = "pdpStateDependencies.conf";
|
||||
|
||||
public static PDPStateManagement getInstance() {
|
||||
if ( instance == null ) {
|
||||
instance = new PDPStateManagement();
|
||||
}
|
||||
return instance;
|
||||
}
|
||||
|
||||
public static void main(String[] args) throws FileNotFoundException, IOException {
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
PDPStateManagement.getInstance();
|
||||
}
|
||||
|
||||
private PDPStateManagement() {
|
||||
pdpState = PDPState.getInstance();
|
||||
dbUtil = pdpState.getHibernateUtil();
|
||||
|
||||
try {
|
||||
// check if there is a conf file on the class path
|
||||
File confFile = new File(CONFFILE_NAME);
|
||||
if ( ! confFile.exists() ) {
|
||||
// try with conf before...
|
||||
confFile = new File("conf/" +CONFFILE_NAME);
|
||||
}
|
||||
if ( ! confFile.exists() ) {
|
||||
// try from mvn default test location
|
||||
confFile = new File("src/test/resources/" +CONFFILE_NAME);
|
||||
}
|
||||
|
||||
if ( confFile.exists()) {
|
||||
logger.info("Reading PDPStateManagement configuration from " + confFile.getAbsolutePath());
|
||||
readConfig(confFile);
|
||||
}
|
||||
else {
|
||||
logger.warn("Reading PDPStateManagement configuration from jar; You might define a more accurate " + CONFFILE_NAME);
|
||||
readConfig(this.getClass().getResourceAsStream("/" + CONFFILE_NAME));
|
||||
}
|
||||
} catch (IOException e) {
|
||||
logger.error("Could not configuration file from PDPStateManagement: " + e.getMessage());
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
public Map<String, Dependency> getDependencies() {
|
||||
return Collections.unmodifiableMap(dependencies);
|
||||
}
|
||||
|
||||
public void updatePDPState(AccessControlRequest request) throws SecurityError {
|
||||
|
||||
//get resource and action
|
||||
URI resource = request.getResource();
|
||||
Dependency assign = dependencies.get(resource.toString());
|
||||
|
||||
if ( assign == null ) {
|
||||
logger.error("For the resource (" + resource + ") defined in log " + request.getEvaluationId() + " no assignment is defined");
|
||||
throw new SecurityError(ErrorType.CONFIGURATION_ERROR, ReasonType.PDE_ENGINE_ERROR, "Cannot update the PDPState: missing assignment definition");
|
||||
} else {
|
||||
assign.writeStateChange(request, pdpState);
|
||||
}
|
||||
}
|
||||
|
||||
private void readConfig(File confFile) throws IOException {
|
||||
readConfig(new FileInputStream(confFile));
|
||||
}
|
||||
|
||||
private void readConfig(InputStream stream) throws IOException {
|
||||
BufferedReader reader = new BufferedReader(new InputStreamReader(stream));
|
||||
|
||||
|
||||
String key = null;
|
||||
AttributeDBIdentifier attrId = null;
|
||||
|
||||
String line = null;
|
||||
while ( (line = reader.readLine()) != null ) {
|
||||
line = line.trim();
|
||||
if ( ! (line.startsWith("#") || line.length() == 0 ) ) {
|
||||
if ( line.startsWith(ATTRIBUTE) ) {
|
||||
key = line.substring(ATTRIBUTE.length(), line.length());
|
||||
try {
|
||||
attrId = readAttribute(reader);
|
||||
if ( attributes.containsKey(key)) {
|
||||
logger.warn("Overwriting attribute definition with key " + key);
|
||||
}
|
||||
attributes.put(key, attrId);
|
||||
} catch (URISyntaxException e) {
|
||||
logger.warn("Could not read attribute with key " + key + ": URISyntaxException: " + e.getMessage());
|
||||
} catch (SyntaxError e) {
|
||||
logger.warn("Could not read attribute with key " + key + ": Syntax Error: " + e.getMessage());
|
||||
}
|
||||
} else if ( line.startsWith(DEPENDENCY)) {
|
||||
key = "null";
|
||||
try {
|
||||
key = line.substring(DEPENDENCY.length(), line.length()).trim();
|
||||
Dependency assign = Dependency.readAssignment(key, reader, attributes, dbUtil);
|
||||
if (dependencies.containsKey(key)) {
|
||||
logger.warn("Overwriting dependency definition with key " + key);
|
||||
}
|
||||
this.dependencies.put(key, assign);
|
||||
} catch (SyntaxError e) {
|
||||
logger.warn("Could not read dependency with key " + key + ": SyntaxError: " + e.getMessage());
|
||||
}
|
||||
} else {
|
||||
logger.warn("Ignoring misplace line " + line);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
private AttributeDBIdentifier readAttribute(BufferedReader reader) throws IOException, URISyntaxException, SyntaxError {
|
||||
URI category, attributeId, dataType, issuer;
|
||||
category = readValueLine(reader);
|
||||
dataType = readValueLine(reader);
|
||||
attributeId = readValueLine(reader);
|
||||
issuer = readValueLine(reader);
|
||||
|
||||
AttributeIdentifier attr = new AttributeIdentifier(category, dataType, attributeId, issuer);
|
||||
return dbUtil.getAttributeDBIdentifier(attr);
|
||||
}
|
||||
|
||||
private URI readValueLine(BufferedReader reader) throws IOException, URISyntaxException, SyntaxError {
|
||||
String line = reader.readLine().trim();
|
||||
if ( line.startsWith("#") ) {
|
||||
return readValueLine(reader);
|
||||
}
|
||||
if ( "null".equals(line)) {
|
||||
return null;
|
||||
}
|
||||
if ( line.length() == 0 || line.startsWith(ATTRIBUTE) || line.startsWith(DEPENDENCY)) {
|
||||
throw new SyntaxError("Invalid line after attribute declaration: " + line);
|
||||
}
|
||||
return new URI(line);
|
||||
}
|
||||
|
||||
// private void addDependency(String dependency) throws SyntaxError {
|
||||
// int m = dependency.indexOf("->");
|
||||
// if ( m == -1 ) {
|
||||
// throw new SyntaxError("Missing assignment -> ");
|
||||
// }
|
||||
// String key = dependency.substring(0, m).trim();
|
||||
// AttributeDBIdentifier dbKey = attributes.get(key);
|
||||
//
|
||||
//
|
||||
// if ( dbKey == null ) {
|
||||
// throw new SyntaxError("Attribute with key " + key + " is not defined so far");
|
||||
// }
|
||||
// List<AttributeDBIdentifier> dependencies = new Vector<AttributeDBIdentifier>();
|
||||
// StringTokenizer tokenizer = new StringTokenizer(dependency.substring(m + 2), ",");
|
||||
// while (tokenizer.hasMoreTokens()) {
|
||||
// String token = tokenizer.nextToken().trim();
|
||||
// if ( ! (token.length() == 0) ) {
|
||||
// // some attributes may not depend on any other attribute
|
||||
// if ( dependencies.size() == 0 && "null".equals(token) ) {
|
||||
// this.dependenciesString.put(key, dependencies);
|
||||
// this.dependencies.put(dbKey, dependencies);
|
||||
// return;
|
||||
// }
|
||||
// AttributeDBIdentifier dependent = attributes.get(token);
|
||||
// if ( dependent == null ) {
|
||||
// throw new SyntaxError("Attribute with key " + dependent + " is not defined so far");
|
||||
// } else {
|
||||
// dependencies.add(dependent);
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// if ( dependencies.size() == 0 ) {
|
||||
// throw new SyntaxError("No dependency is defined");
|
||||
// }
|
||||
// this.dependenciesString.put(key, dependencies);
|
||||
// this.dependencies.put(dbKey, dependencies);
|
||||
//}
|
||||
//
|
||||
//
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate;
|
||||
|
||||
/**
|
||||
*
|
||||
* Local exception which allows Dependency throw errors about illegal
|
||||
* syntax to PDPStateAssignment
|
||||
*
|
||||
*/
|
||||
class SyntaxError extends Exception {
|
||||
private static final long serialVersionUID = -6261081989869542809L;
|
||||
public SyntaxError(String string) {
|
||||
super(string);
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,121 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate.db;
|
||||
|
||||
import java.sql.Timestamp;
|
||||
import java.util.List;
|
||||
|
||||
|
||||
/**
|
||||
* This class represents a instantiation of the AttributeType meta-data class.
|
||||
*
|
||||
*/
|
||||
public class AttributeAssignment {
|
||||
|
||||
/**
|
||||
* DB generated ID
|
||||
*/
|
||||
protected long id = -1;
|
||||
|
||||
/**
|
||||
* value for which it is valid, e.g., nurse
|
||||
*/
|
||||
protected String value;
|
||||
|
||||
/**
|
||||
* beginning with which date the assignment is valid, per default -infinite
|
||||
*/
|
||||
protected Timestamp validFrom;
|
||||
|
||||
/**
|
||||
* up to when the assignment is valid, per default +infinite
|
||||
*/
|
||||
protected Timestamp validTo;
|
||||
|
||||
/**
|
||||
* which attributeType is instantiated; there, the meta data are stored, e.g.,
|
||||
* that this is an assignment of an attribute "role".
|
||||
*/
|
||||
protected AttributeType attrType;
|
||||
|
||||
/**
|
||||
* a list of attached attributes which are required from the context
|
||||
* e.g., the subject-id with value "carol@myhospital.com"
|
||||
*/
|
||||
protected List<ContextAttributeAssignment> ctxAttrAssignments;
|
||||
|
||||
public AttributeAssignment() {
|
||||
this.setValidFrom(null);
|
||||
this.setValidTo(null);
|
||||
}
|
||||
|
||||
public Long getId() {
|
||||
return id;
|
||||
}
|
||||
|
||||
public void setId(Long id) {
|
||||
this.id = id;
|
||||
}
|
||||
|
||||
public String getValue() {
|
||||
return value;
|
||||
}
|
||||
|
||||
public void setValue(String value) {
|
||||
this.value = value;
|
||||
}
|
||||
|
||||
public Timestamp getValidFrom() {
|
||||
return validFrom;
|
||||
}
|
||||
|
||||
public void setValidFrom(Timestamp validFrom) {
|
||||
this.validFrom = validFrom;
|
||||
if ( this.validFrom == null ) {
|
||||
this.validFrom = new Timestamp(new java.util.Date().getTime());
|
||||
}
|
||||
}
|
||||
|
||||
public Timestamp getValidTo() {
|
||||
return validTo;
|
||||
}
|
||||
|
||||
public void setValidTo(Timestamp validTo) {
|
||||
this.validTo = validTo;
|
||||
if ( this.validTo == null ) {
|
||||
this.validTo = new Timestamp(Long.MAX_VALUE);
|
||||
}
|
||||
}
|
||||
|
||||
public AttributeType getAttrType() {
|
||||
return attrType;
|
||||
}
|
||||
|
||||
public void setAttrType(AttributeType attributeType) {
|
||||
this.attrType = attributeType;
|
||||
}
|
||||
|
||||
public List<ContextAttributeAssignment> getCtxAttrAssignments() {
|
||||
return ctxAttrAssignments;
|
||||
}
|
||||
|
||||
public void setCtxAttrAssignments(
|
||||
List<ContextAttributeAssignment> ctxAttrAssignments) {
|
||||
this.ctxAttrAssignments = ctxAttrAssignments;
|
||||
}
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,73 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate.db;
|
||||
|
||||
import java.net.URI;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
|
||||
|
||||
/**
|
||||
* This class contains meta-data for the PDPState.
|
||||
* <br/>
|
||||
* allows to identify and reference an attribute as it is used within XACML;
|
||||
* for the PDPState, this is more or less meta data information; i.e., all different
|
||||
* types of attributes are listed here.
|
||||
*
|
||||
* this is the same implementation as for the LogServer; may be merged if both
|
||||
* implementation are moved to one jar
|
||||
*
|
||||
*/
|
||||
public class AttributeDBIdentifier extends AttributeIdentifier {
|
||||
|
||||
protected int id = -1;
|
||||
|
||||
public AttributeDBIdentifier(URI category, URI attributeType, URI attributeId, URI issuer) {
|
||||
super(category, attributeType, attributeId, issuer);
|
||||
}
|
||||
|
||||
public AttributeDBIdentifier(AttributeIdentifier attrId) {
|
||||
super(attrId.getCategory(), attrId.getAttributeType(), attrId.getAttributeId(), attrId.getIssuer());
|
||||
}
|
||||
|
||||
protected AttributeDBIdentifier() {
|
||||
|
||||
}
|
||||
|
||||
public int getId() {
|
||||
return id;
|
||||
}
|
||||
|
||||
public void setId(int id) {
|
||||
this.id = id;
|
||||
}
|
||||
|
||||
|
||||
public void setCategory(URI categrory) {
|
||||
super.category = categrory;
|
||||
}
|
||||
|
||||
public void setAttributeType(URI attributeType) {
|
||||
super.attributeType = attributeType;
|
||||
}
|
||||
|
||||
public void setAttributeId(URI attributeId) {
|
||||
super.attributeId = attributeId;
|
||||
}
|
||||
|
||||
public void setIssuer(URI issuer) {
|
||||
super.issuer = issuer;;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,83 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate.db;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* This class contains meta-data for the PDPState.
|
||||
* <br/>
|
||||
* The "main" metaData class for the PDPState; here, all known
|
||||
* assignments are stored. This is needed to keep the database in
|
||||
* a consistent and non-redundant state and to allow the PDPStateModule
|
||||
* to retrieve the context information from the PDP in an easy way
|
||||
*
|
||||
*/
|
||||
public class AttributeType {
|
||||
|
||||
/**
|
||||
* DB generated ID
|
||||
*/
|
||||
protected int id = -1;
|
||||
|
||||
/**
|
||||
* The type of attribute which can be resolved by this attributeType,
|
||||
* e.g, role
|
||||
*/
|
||||
protected AttributeDBIdentifier attrType;
|
||||
|
||||
/**
|
||||
* List of required attributes which are required to determine the
|
||||
* assigned value (may be empty, e.g., in case of active policies),
|
||||
* example: subject-id for attrTyp role
|
||||
*/
|
||||
protected List<ContextAttribute> ctxTypes;
|
||||
|
||||
public AttributeType(AttributeDBIdentifier attrType, List<ContextAttribute> ctxTypes) {
|
||||
this.attrType = attrType;
|
||||
this.ctxTypes = ctxTypes;
|
||||
}
|
||||
|
||||
|
||||
//empty constructor for hibernate
|
||||
public AttributeType() {}
|
||||
|
||||
public int getId() {
|
||||
return id;
|
||||
}
|
||||
|
||||
public void setId(int id) {
|
||||
this.id = id;
|
||||
}
|
||||
|
||||
public AttributeDBIdentifier getAttrType() {
|
||||
return attrType;
|
||||
}
|
||||
|
||||
public void setAttrType(AttributeDBIdentifier attrType) {
|
||||
this.attrType = attrType;
|
||||
}
|
||||
|
||||
public List<ContextAttribute> getCtxTypes() {
|
||||
return ctxTypes;
|
||||
}
|
||||
|
||||
public void setCtxTypes(List<ContextAttribute> ctxTypes) {
|
||||
this.ctxTypes = ctxTypes;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate.db;
|
||||
|
||||
|
||||
/**
|
||||
* This class contains meta-data for the PDPState.
|
||||
* <br/>
|
||||
* It is (more or less) the technical implementation of the n:m mapping
|
||||
* from AttributeType to AttributeDBIdentifier; however, it is referenced
|
||||
* from ContextAttributeAssignment (mainly out of consistency and data
|
||||
* space reasons) and therefore implemented as disting class
|
||||
*
|
||||
*/
|
||||
public class ContextAttribute {
|
||||
|
||||
/**
|
||||
* DB generated ID
|
||||
*/
|
||||
protected int id = -1;
|
||||
|
||||
/**
|
||||
* defines the required attributeId
|
||||
*/
|
||||
protected AttributeDBIdentifier attrId;
|
||||
|
||||
/**
|
||||
* the AttributeType it is assigned to
|
||||
*/
|
||||
protected AttributeType attrType;
|
||||
|
||||
public ContextAttribute() {}
|
||||
|
||||
public ContextAttribute(AttributeDBIdentifier attrId, AttributeType attrType) {
|
||||
this.attrId = attrId;
|
||||
this.attrType = attrType;
|
||||
}
|
||||
|
||||
public int getId() {
|
||||
return id;
|
||||
}
|
||||
|
||||
public void setId(int id) {
|
||||
this.id = id;
|
||||
}
|
||||
|
||||
public AttributeDBIdentifier getAttrId() {
|
||||
return attrId;
|
||||
}
|
||||
|
||||
public void setAttrId(AttributeDBIdentifier attrId) {
|
||||
this.attrId = attrId;
|
||||
}
|
||||
|
||||
public AttributeType getAttrType() {
|
||||
return attrType;
|
||||
}
|
||||
|
||||
public void setAttrType(AttributeType attrType) {
|
||||
this.attrType = attrType;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,123 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate.db;
|
||||
|
||||
/**
|
||||
* This class represents an assignment of a context attribute
|
||||
* to an attribute assignment; one could also see ContextAttributeAssignments
|
||||
* as constraints when a attributeAssignment is valid.
|
||||
*/
|
||||
public class ContextAttributeAssignment {
|
||||
|
||||
/**
|
||||
* DB generated ID
|
||||
*/
|
||||
protected long id = -1;
|
||||
|
||||
/**
|
||||
* the assigned value, e.g, nurse@hospital.de
|
||||
*/
|
||||
protected String value;
|
||||
|
||||
/**
|
||||
* the context attribute which is instaniated
|
||||
*/
|
||||
protected ContextAttribute ctxAttribute;
|
||||
|
||||
/**
|
||||
* the attribute assignment which is "constrained" with this
|
||||
* context attribute assignment
|
||||
*/
|
||||
protected AttributeAssignment attrAssignment;
|
||||
|
||||
public ContextAttributeAssignment() {}
|
||||
|
||||
public ContextAttributeAssignment(String value, ContextAttribute ctxAttribute, AttributeAssignment attrAssignment) {
|
||||
this.value = value;
|
||||
this.ctxAttribute = ctxAttribute;
|
||||
this.attrAssignment = attrAssignment;
|
||||
}
|
||||
|
||||
public Long getId() {
|
||||
return id;
|
||||
}
|
||||
|
||||
public void setId(Long id) {
|
||||
this.id = id;
|
||||
}
|
||||
|
||||
public String getValue() {
|
||||
return value;
|
||||
}
|
||||
|
||||
public void setValue(String value) {
|
||||
this.value = value;
|
||||
}
|
||||
|
||||
public ContextAttribute getCtxAttribute() {
|
||||
return ctxAttribute;
|
||||
}
|
||||
|
||||
public void setCtxAttribute(ContextAttribute ctxAttribute) {
|
||||
this.ctxAttribute = ctxAttribute;
|
||||
}
|
||||
public AttributeAssignment getAttrAssignment() {
|
||||
return attrAssignment;
|
||||
}
|
||||
|
||||
public void setAttrAssignment(AttributeAssignment attrAssignment) {
|
||||
this.attrAssignment = attrAssignment;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
// protected AttributeDBIdentifier attrType;
|
||||
//
|
||||
// public ContextAttributeAssignment(AttributeDBIdentifier attrType, String value) {
|
||||
// this.attrType = attrType;
|
||||
// this.value = value;
|
||||
// }
|
||||
//
|
||||
// //empty constructor for hibernate
|
||||
// public ContextAttributeAssignment() {}
|
||||
//
|
||||
// public Long getId() {
|
||||
// return id;
|
||||
// }
|
||||
//
|
||||
// public void setId(Long id) {
|
||||
// this.id = id;
|
||||
// }
|
||||
//
|
||||
// public AttributeDBIdentifier getAttrType() {
|
||||
// return attrType;
|
||||
// }
|
||||
//
|
||||
// public void setAttrType(AttributeDBIdentifier attrType) {
|
||||
// this.attrType = attrType;
|
||||
// }
|
||||
//
|
||||
// public String getValue() {
|
||||
// return value;
|
||||
// }
|
||||
//
|
||||
// public void setValue(String value) {
|
||||
// this.value = value;
|
||||
// }
|
||||
|
||||
}
|
|
@ -0,0 +1,210 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate.db;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
import org.hibernate.Query;
|
||||
import org.hibernate.Session;
|
||||
import org.hibernate.SessionFactory;
|
||||
import org.hibernate.Transaction;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
|
||||
|
||||
/**
|
||||
* loads and caches the meta data tables
|
||||
*
|
||||
*/
|
||||
public class HibernateUtil {
|
||||
|
||||
private static final Logger logger = Logger.getLogger(HibernateUtil.class);
|
||||
private SessionFactory sessionFactory;
|
||||
|
||||
private Map<AttributeIdentifier, AttributeDBIdentifier> attrIds = null;
|
||||
private Map<AttributeIdentifier, AttributeType> attrTypeIds = null;
|
||||
|
||||
private static HibernateUtil instance;
|
||||
|
||||
|
||||
/**
|
||||
* not that the HibernateUtil has to be instanciated first
|
||||
* @return
|
||||
*/
|
||||
public static HibernateUtil getInstance() {
|
||||
return instance;
|
||||
}
|
||||
|
||||
public synchronized static HibernateUtil createHibernateUtil(SessionFactory factory) {
|
||||
if ( instance != null ) {
|
||||
logger.warn("HibernateUtil instance already exists");
|
||||
}
|
||||
instance = new HibernateUtil(factory);
|
||||
return instance;
|
||||
}
|
||||
|
||||
private HibernateUtil(SessionFactory factory) {
|
||||
this.sessionFactory = factory;
|
||||
attrIds = new HashMap<AttributeIdentifier, AttributeDBIdentifier>();
|
||||
attrTypeIds = new HashMap<AttributeIdentifier, AttributeType>();
|
||||
|
||||
Session session = sessionFactory.getCurrentSession();
|
||||
Transaction tx = session.beginTransaction();
|
||||
|
||||
Query query = session.createQuery("from " + AttributeDBIdentifier.class.getName());
|
||||
List<?> l = query.list();
|
||||
for ( Object val : l) {
|
||||
AttributeDBIdentifier i = (AttributeDBIdentifier) val;
|
||||
attrIds.put(i, i);
|
||||
logger.debug("loaded AttrID " + i + ": " + i.getId());
|
||||
}
|
||||
|
||||
query = session.createQuery("from " + AttributeType.class.getName());
|
||||
l = query.list();
|
||||
for ( Object val : l ) {
|
||||
AttributeType i = ( AttributeType ) val;
|
||||
attrTypeIds.put(i.getAttrType(), i);
|
||||
logger.debug("loaded AttrType " + i.getAttrType() + ": " + i.getId());
|
||||
}
|
||||
tx.commit();
|
||||
logger.info("Created HibernateUtil: " + attrIds.size() + " AttributeIdentifier(s), " + attrTypeIds.size() + " AttributeType(s)");
|
||||
}
|
||||
|
||||
/**
|
||||
* returns an attribute Identifier containing the ID from the database and therefore
|
||||
* useable for database write and update operations
|
||||
* @param attrId
|
||||
* @return
|
||||
*/
|
||||
public AttributeDBIdentifier getAttributeDBIdentifier(AttributeIdentifier attrId) {
|
||||
if ( attrIds.containsKey(attrId) ) {
|
||||
return attrIds.get(attrId);
|
||||
} else {
|
||||
return addAttributeIdentifier(attrId);
|
||||
}
|
||||
}
|
||||
/**
|
||||
* returns if an attribute is already stored in the database
|
||||
* @param attrId
|
||||
* @return
|
||||
*/
|
||||
public boolean contains(AttributeIdentifier attrId) {
|
||||
return attrTypeIds.containsKey(attrId);
|
||||
}
|
||||
|
||||
/**
|
||||
* add an attribute identifier to the database;<br/>
|
||||
*
|
||||
* this function checks first if the attribute is already stored, i.e., it
|
||||
* can be called without the need to check if the attribute is already there.
|
||||
* @param attrId
|
||||
* @return
|
||||
*/
|
||||
public synchronized AttributeDBIdentifier addAttributeIdentifier(AttributeIdentifier attrId) {
|
||||
if ( attrIds.containsKey(attrId) ) {
|
||||
return attrIds.get(attrId);
|
||||
} else {
|
||||
AttributeDBIdentifier dbid = new AttributeDBIdentifier(attrId);
|
||||
Session session = sessionFactory.getCurrentSession();
|
||||
Transaction tx = session.beginTransaction();
|
||||
session.save(dbid);
|
||||
|
||||
tx.commit();
|
||||
logger.debug("Inserted AttrId " + dbid.getId() + " " + attrId);
|
||||
attrIds.put(attrId, dbid);
|
||||
return dbid;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* checks if already some meta data (i.e., the AttributeType) for an
|
||||
* attribute identifier is known by the database
|
||||
* @param attrId
|
||||
* @return
|
||||
*/
|
||||
public AttributeType getAttributeType(AttributeIdentifier attrId) {
|
||||
return attrTypeIds.get(attrId);
|
||||
}
|
||||
|
||||
/**
|
||||
* add an attribute type to the database;<br/>
|
||||
*
|
||||
* this function checks first if the attribute type is already stored, i.e., it
|
||||
* can be called without the need to check if the attribute type is already there.
|
||||
* @param attrId
|
||||
* @param contextAttr
|
||||
* @return
|
||||
*/
|
||||
public synchronized AttributeType addAttributeType(AttributeIdentifier attrId, List<AttributeIdentifier> contextAttr) {
|
||||
if ( attrTypeIds.containsKey(attrId) ) {
|
||||
// this type is already defined, check if the given and the existing definition match
|
||||
AttributeType type = attrTypeIds.get(attrId);
|
||||
|
||||
if ( type.getCtxTypes().size() != contextAttr.size() ) {
|
||||
logger.warn("Existing AttributeType " + attrId + " does not match provided type definition (different context attribute count)");
|
||||
return null;
|
||||
}
|
||||
if ( type.getCtxTypes().size() == 1 ) {
|
||||
if ( ! type.getCtxTypes().get(0).getAttrId().equals(contextAttr.get(0)) ) {
|
||||
logger.warn("Existing AttributeType " + attrId + " does not match provided type definition (contextAttr type does not match)");
|
||||
return null;
|
||||
}
|
||||
} else if ( type.getCtxTypes().size() > 1 ) {
|
||||
for ( ContextAttribute attr : type.getCtxTypes()) {
|
||||
if ( ! contextAttr.contains(attr.getAttrType())) {
|
||||
logger.warn("Existing AttributeType " + attrId + " does not match provided type definition (contextAttr type do not match)");
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
return type;
|
||||
} else {
|
||||
// List<AttributeDBIdentifier> contextDBAttrs = null;
|
||||
// if ( contextAttr != null && contextAttr.size() > 0 ) {
|
||||
// contextDBAttrs = new Vector<AttributeDBIdentifier>();
|
||||
// for ( AttributeIdentifier id : contextAttr ) {
|
||||
// contextDBAttrs.add(getAttributeDBIdentifier(id));
|
||||
// }
|
||||
// }
|
||||
|
||||
AttributeType attrType = new AttributeType();
|
||||
attrType.setAttrType(getAttributeDBIdentifier(attrId));
|
||||
|
||||
List<ContextAttribute> contextDBAttrs = null;
|
||||
if ( contextAttr != null && contextAttr.size() > 0 ) {
|
||||
contextDBAttrs = new Vector<ContextAttribute>();
|
||||
System.out.println("addAttributeType: " + attrType.getAttrType().getId() + ", " + attrType.getAttrType().toString());
|
||||
for ( AttributeIdentifier id : contextAttr ) {
|
||||
contextDBAttrs.add( new ContextAttribute(getAttributeDBIdentifier(id), attrType));
|
||||
}
|
||||
}
|
||||
attrType.setCtxTypes(contextDBAttrs);
|
||||
|
||||
Session session = sessionFactory.getCurrentSession();
|
||||
Transaction tx = session.beginTransaction();
|
||||
|
||||
session.save(attrType);
|
||||
|
||||
tx.commit();
|
||||
logger.debug("Inserted AttrId " + attrType.getId() + " " + attrType);
|
||||
attrTypeIds.put(attrId, attrType);
|
||||
return attrType;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,157 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate.xacml;
|
||||
|
||||
import java.net.URI;
|
||||
import java.sql.Timestamp;
|
||||
import java.util.Collection;
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.PDPState;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeDBIdentifier;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttributeAssignment;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.HibernateUtil;
|
||||
import eu.aniketos.securebpmn.xacml.support.finder.IPDPStateEvaluationContext;
|
||||
|
||||
import com.sun.xacml.ConfigurationStore;
|
||||
import com.sun.xacml.EvaluationCtx;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
import com.sun.xacml.attr.AttributeFactory;
|
||||
import com.sun.xacml.attr.AttributeValue;
|
||||
import com.sun.xacml.attr.BagAttribute;
|
||||
import com.sun.xacml.cond.EvaluationResult;
|
||||
import com.sun.xacml.finder.AttributeFinderModule;
|
||||
|
||||
/**
|
||||
* PDPState modules uses the backend database to check if it is responsible;
|
||||
* if yes, it retrieves the information which attributes have to be resolved
|
||||
* from the context form the database (which is more or less configuration and meta data).
|
||||
* After retrieving the required data from the context, the actual assignments
|
||||
* are queried from the database, the result is returned to the PDP
|
||||
*
|
||||
*/
|
||||
public class PDPStateModule extends AttributeFinderModule {
|
||||
|
||||
private static PDPState pdpState = PDPState.getInstance();
|
||||
private static HibernateUtil dbUtil = pdpState.getHibernateUtil();
|
||||
|
||||
private static final Logger logger = Logger.getLogger(PDPStateModule.class);
|
||||
|
||||
protected ConfigurationStore conf;
|
||||
|
||||
public boolean isDesignatorSupported() {
|
||||
return true;
|
||||
}
|
||||
|
||||
public void setConfigurationStore(ConfigurationStore conf) {
|
||||
this.conf = conf;
|
||||
}
|
||||
|
||||
@Override
|
||||
public EvaluationResult findAttribute(URI category, URI attributeType,
|
||||
URI attributeId, URI issuer,
|
||||
EvaluationCtx context) {
|
||||
|
||||
AttributeIdentifier attrId = new AttributeIdentifier(category, attributeType, attributeId, issuer);
|
||||
logger.debug("Got request for " + attrId.toString());
|
||||
|
||||
// check if we could have some value for this attribute
|
||||
if ( dbUtil.contains(attrId)) {
|
||||
//we are responsible, get what is there
|
||||
AttributeType attrType = dbUtil.getAttributeType(attrId);
|
||||
if ( logger.isDebugEnabled() ) {
|
||||
logger.debug("Found AttributeType (id " + attrType.getId() + ") with " +
|
||||
( attrType.getCtxTypes() == null ? "0" : attrType.getCtxTypes().size()) +
|
||||
" dependencies");
|
||||
}
|
||||
|
||||
//check if we have to resolve some context information and if yes, resolve it
|
||||
List<ContextAttribute> contextAttrs = attrType.getCtxTypes();
|
||||
List<ContextAttributeAssignment> contextAttrValues = null;
|
||||
if ( contextAttrs != null && contextAttrs.size() > 0 ) {
|
||||
contextAttrValues = new Vector<ContextAttributeAssignment>();
|
||||
|
||||
for ( ContextAttribute contextAttr : contextAttrs ) {
|
||||
AttributeDBIdentifier id = contextAttr.getAttrId();
|
||||
EvaluationResult result = context.getAttribute(id.getCategory(), id.getAttributeType(),
|
||||
id.getAttributeId(), id.getIssuer());
|
||||
|
||||
if ( !result.getAttributeValue().isBag() ||
|
||||
((BagAttribute) result.getAttributeValue()).size() != 1 ) {
|
||||
logger.error("Did not retreive a bag with one (" +((BagAttribute) result.getAttributeValue()).size() +
|
||||
") entry after attribute search! " +
|
||||
"PDPStateModule allows only one value of dependent context attributes");
|
||||
//TODO throw indeterminate message
|
||||
return new EvaluationResult(BagAttribute.createEmptyBag(attributeType));
|
||||
} else {
|
||||
AttributeValue attrVal = ((BagAttribute) result.getAttributeValue()).iterator().next();
|
||||
//X1 contextAttrValues.add(new ContextAttributeAssignment(contextAttr, attrVal.toString()));
|
||||
// the
|
||||
contextAttrValues.add(new ContextAttributeAssignment(attrVal.encode(), contextAttr, null));
|
||||
logger.debug("Resolved " +attrVal.encode() + " for attribute " + id.toString() + " from the context");
|
||||
}
|
||||
}
|
||||
}
|
||||
// check if we have a specific context which tells us the exact point in time for which
|
||||
// the attributes have to be resolved
|
||||
Date queryTime = null;
|
||||
if ( context instanceof IPDPStateEvaluationContext ) {
|
||||
queryTime = ((IPDPStateEvaluationContext)context).getExecTime();
|
||||
} else {
|
||||
queryTime = new Date();
|
||||
}
|
||||
// execute query on pdpState
|
||||
List<String> values = pdpState.getAttribute(attrType, contextAttrValues, new Timestamp(queryTime.getTime()));
|
||||
if ( logger.isDebugEnabled() ) {
|
||||
StringBuffer buff = new StringBuffer("Found " + values.size() + " value(s): ");
|
||||
for (String value : values ) {
|
||||
buff.append(value + ", ");
|
||||
}
|
||||
logger.debug(buff.toString());
|
||||
}
|
||||
|
||||
if ( values == null || values.size() == 0 ){
|
||||
return new EvaluationResult(BagAttribute.createEmptyBag(attributeType));
|
||||
} else {
|
||||
Collection<AttributeValue> attrValues = new Vector<AttributeValue>();
|
||||
AttributeFactory attrFactory = AttributeFactory.getInstance();
|
||||
for ( String value : values) {
|
||||
try {
|
||||
attrValues.add(attrFactory.createValue(attributeType, value));
|
||||
} catch (UnknownIdentifierException e) {
|
||||
logger.error("UnknownIdentifierException - " + e.getMessage() + ": cannot transform " + value + " to an attributeValue of type" + attributeType, e);
|
||||
} catch (ParsingException e) {
|
||||
logger.error("ParsingException - " + e.getMessage() + ": cannot transform " + value + " to an attributeValue of type" + attributeType, e);
|
||||
}
|
||||
}
|
||||
return new EvaluationResult(new BagAttribute(attributeType, attrValues));
|
||||
}
|
||||
} else {
|
||||
logger.debug("DBState does not have any value for this AttributeType");
|
||||
// we are not responsible.. DBState does not have any value...
|
||||
return new EvaluationResult(BagAttribute.createEmptyBag(attributeType));
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,103 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN" "http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd">
|
||||
<hibernate-mapping>
|
||||
<!-- AttributeDBIdentifier ATTRIBUTE_ID
|
||||
contains meta information about managed attribute types -->
|
||||
<class name="eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeDBIdentifier" table="ATTRIBUTE_ID">
|
||||
<id name="id" column="ATTRIBUTE_ID_ID">
|
||||
<generator class="native"/>
|
||||
</id>
|
||||
<property name="category" column="CATEGORY"/>
|
||||
<property name="attributeType" column="TYPE" not-null="true"/>
|
||||
<property name="attributeId" column="ATTRIBUTE_ID" not-null="true"/>
|
||||
<property name="issuer" column="ISSUER"/>
|
||||
</class>
|
||||
<!-- ContextAttribute CONTEXT_ATTRIBUTE
|
||||
n:m mapping between AttributeDBIdentifier and AttributeType as explicit class,
|
||||
to be able to reference it from ContextAttribute Assignment -->
|
||||
<class name="eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute" table="CONTEXT_ATTRIBUTE">
|
||||
<id name="id" column="CONTEXT_ATTRIBUTE_ID">
|
||||
<generator class="native"/>
|
||||
</id>
|
||||
<many-to-one name="attrId" column="ATTR_ID" lazy="false" not-null="true"/>
|
||||
<many-to-one name="attrType" column="ATTRTYPE_ID" lazy="false" not-null="true"/>
|
||||
</class>
|
||||
<!-- AttributeType ATTRIBUTE_TYPE
|
||||
contains meta information about managed attribute assignments -->
|
||||
<class name="eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType" table="ATTRIBUTE_TYPE">
|
||||
<id name="id" column="ATTRIBUTE_TYPE_ID">
|
||||
<generator class="native"/>
|
||||
</id>
|
||||
<many-to-one name="attrType" column="ATTR_ID" not-null="true"/>
|
||||
<bag name="ctxTypes" lazy="false" cascade="all">
|
||||
<key column="ATTRTYPE_ID"/>
|
||||
<one-to-many class="eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute"/>
|
||||
<!-- -->
|
||||
</bag>
|
||||
</class>
|
||||
<!-- ContextAttributeAssignment CTXATTR_ASSIGNMENT -->
|
||||
<class name="eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttributeAssignment" table="CTXATTR_ASSIGNMENT">
|
||||
<id name="id" column="CTXATTR_ASSIGNMENT_ID">
|
||||
<generator class="native"/>
|
||||
</id>
|
||||
<property name="value" column="VALUE"/>
|
||||
<many-to-one name="ctxAttribute" lazy="false" column="CTXATTR_ID" class="eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttribute"/>
|
||||
<many-to-one name="attrAssignment" lazy="false" column="ASSIGNMENT_ID" class="eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment"/>
|
||||
</class>
|
||||
<!-- -->
|
||||
<class name="eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment" table="ATTR_ASSIGNMENT">
|
||||
<id name="id" column="ATTR_ASSIGNMENT_ID">
|
||||
<generator class="native"/>
|
||||
</id>
|
||||
<property name="value" column="VALUE" not-null="true"/>
|
||||
<property name="validFrom" column="VALID_FROM" not-null="true"/>
|
||||
<property name="validTo" column="VALID_TO" not-null="true"/>
|
||||
<many-to-one name="attrType" column="ATTR_TYPE" class="eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType"/>
|
||||
<bag name="ctxAttrAssignments" lazy="false" cascade="all">
|
||||
<key column="ASSIGNMENT_ID"/>
|
||||
<one-to-many class="eu.aniketos.securebpmn.xacml.pdpstate.db.ContextAttributeAssignment"/>
|
||||
</bag>
|
||||
</class>
|
||||
<query name="getAttribute0"><![CDATA[SELECT a.value FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
|
||||
WHERE a.attrType = :attrType
|
||||
AND a.validTo >= :validAt AND a.validFrom <= :validAt ]]></query>
|
||||
<query name="getAttribute1"><![CDATA[SELECT a.value FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
|
||||
INNER JOIN a.ctxAttrAssignments as c
|
||||
WHERE a.attrType = :attrType
|
||||
AND a.validTo >= :validAt AND a.validFrom <= :validAt
|
||||
AND c.ctxAttribute = :ctxAttrTypeNull
|
||||
AND c.value = :ctxAttrNull ]]></query>
|
||||
<query name="getAttribute2"><![CDATA[SELECT a.value FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
|
||||
INNER JOIN a.ctxAttrAssignments as cnull
|
||||
INNER JOIN a.ctxAttrAssignments as cone
|
||||
WHERE a.attrType = :attrType
|
||||
AND a.validTo >= :validAt AND a.validFrom <= :validAt
|
||||
AND cnull.ctxAttribute = :ctxAttrTypeNull
|
||||
AND cnull.value = :ctxAttrNull
|
||||
AND cone.ctxAttribute = :ctxAttrTypeOne
|
||||
AND cone.value = :ctxAttrOne]]></query>
|
||||
<query name="getAssignmentIds0"><![CDATA[SELECT a.id FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
|
||||
WHERE a.attrType = :attrType
|
||||
AND ( ( a.validFrom >= :validFrom OR a.validTo >= :validTo ) AND
|
||||
( a.validFrom <= :validFrom OR a.validTo <= :validTo ) )
|
||||
AND a.value = :value]]></query>
|
||||
<query name="getAssignmentIds1"><![CDATA[SELECT a.id FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
|
||||
INNER JOIN a.ctxAttrAssignments as c
|
||||
WHERE a.attrType = :attrType
|
||||
AND ( ( a.validFrom >= :validFrom OR a.validTo >= :validTo ) AND
|
||||
( a.validFrom <= :validFrom OR a.validTo <= :validTo ) )
|
||||
AND a.value = :value
|
||||
AND c.ctxAttribute = :ctxAttrTypeNull
|
||||
AND c.value = :ctxAttrNull]]></query>
|
||||
<query name="getAssignmentIds2"><![CDATA[SELECT a.id FROM eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment AS a
|
||||
INNER JOIN a.ctxAttrAssignments as cnull
|
||||
INNER JOIN a.ctxAttrAssignments as cone
|
||||
WHERE a.attrType = :attrType
|
||||
AND ( ( a.validFrom >= :validFrom OR a.validTo >= :validTo ) AND
|
||||
( a.validFrom <= :validFrom OR a.validTo <= :validTo ) )
|
||||
AND a.value = :value
|
||||
AND cnull.ctxAttribute = :ctxAttrTypeNull
|
||||
AND cnull.value = :ctxAttrNull
|
||||
AND cone.ctxAttribute = :ctxAttrTypeOne
|
||||
AND cone.value = :ctxAttrOne]]></query>
|
||||
</hibernate-mapping>
|
|
@ -0,0 +1,29 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE hibernate-mapping PUBLIC
|
||||
"-//Hibernate/Hibernate Mapping DTD 3.0//EN"
|
||||
"http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">
|
||||
|
||||
<hibernate-configuration>
|
||||
<session-factory>
|
||||
<!-- Database connection settings -->
|
||||
<property name="connection.driver_class">org.hsqldb.jdbcDriver</property>
|
||||
<property name="connection.url">jdbc:hsqldb:hsql://localhost/pdpstate</property>
|
||||
<property name="connection.username">sa</property>
|
||||
<property name="connection.password"></property>
|
||||
<!-- JDBC connection pool (use the built-in) -->
|
||||
<property name="connection.pool_size">1</property>
|
||||
<!-- SQL dialect -->
|
||||
<property name="dialect">org.hibernate.dialect.HSQLDialect</property>
|
||||
<!-- Enable Hibernate's automatic session context management -->
|
||||
<property name="current_session_context_class">thread</property>
|
||||
<!-- Disable the second-level cache -->
|
||||
<property name="cache.provider_class">org.hibernate.cache.NoCacheProvider</property>
|
||||
<!-- Echo all executed SQL to stdout -->
|
||||
<property name="show_sql">true</property>
|
||||
<!-- property name="format_sql">true</property -->
|
||||
<!-- Drop and re-create the database schema on startup -->
|
||||
<property name="hbm2ddl.auto">create</property> <!-- create vs validate vs create-drop -->
|
||||
<mapping resource="eu.aniketos.securebpmn.xacml.pdpstate.xml" />
|
||||
</session-factory>
|
||||
</hibernate-configuration>
|
||||
|
|
@ -0,0 +1,180 @@
|
|||
#
|
||||
# this config files defines the used attributes and
|
||||
# dependencies between attributes.
|
||||
# empty lines and lines starting with # are ignored
|
||||
#
|
||||
# to define an attribute, write
|
||||
#attribute:<key>
|
||||
#<category>
|
||||
#<dataType>
|
||||
#<attributeId>
|
||||
#<issuer>
|
||||
#
|
||||
# category, attributeId, dataType, and issuer have to be an URI (java.net.URI),
|
||||
# issuer may be defined as "null". For example, the XACML standard resource id
|
||||
# can be defined with
|
||||
#attribute:urn:oasis:names:tc:xacml:1.0:resource:resource-id
|
||||
#urn:oasis:names:tc:xacml:3.0:attribute-category:resource
|
||||
#http://www.w3.org/2001/XMLSchema#string
|
||||
#urn:oasis:names:tc:xacml:1.0:resource:resource-id
|
||||
#null
|
||||
#
|
||||
# to define a dependency, write
|
||||
#dependency:<resource>
|
||||
#<key> -> null|[<dependent-key>, ]
|
||||
#<key_n> -> <xacml-attr>
|
||||
#
|
||||
# <resource> is the resource (standard resource-id as defined in policy,
|
||||
# e.g., a role assignment modelled as resource urn:runEx:role:assignment)
|
||||
# <key> is the AttrType for which this depenedency is defined (e.g.,
|
||||
# urn:custom:subject:role, using the key defined in the attribute: definition)
|
||||
# <dependent-key> are those attributes (identified along the key of the
|
||||
# attribute: definition) which are required at runtime to resolve the
|
||||
# attribute, e.g., subject-id to resolve a role
|
||||
# <key_n> -> <xacml-attr> defines the value of which xacml-attr of a request
|
||||
# should be used for the dependent-key key_n
|
||||
#
|
||||
# For example
|
||||
#dependency:urn:runEx:role:assignment
|
||||
#urn:custom:subject:role -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
|
||||
#urn:custom:subject:role -> urn:custom:resource:role
|
||||
#urn:oasis:names:tc:xacml:1.0:subject:subject-id -> urn:custom:resource:subject-id
|
||||
#
|
||||
# defines that the role assignment in the xacml policy is modelled as resource
|
||||
# urn:runEx:role:assignment and changes to this resource should trigger a
|
||||
# policyState change.
|
||||
# the AttrType urn:custom:subject:role requires the subject-id to be resolved
|
||||
# at runtime. The value for the role (i.e., which role is assigned) can be
|
||||
# retrieved from the request by getting the attribute urn:custom:resource:role
|
||||
# from the request, the value for the subject (i.e., to which the role is
|
||||
# assigned) can be retrieved by getting urn:custom:resource:subject-id from the
|
||||
# request
|
||||
#
|
||||
#
|
||||
# Note: an attribute has to be defined before it can be used within a
|
||||
# dependency definition
|
||||
|
||||
|
||||
|
||||
#standard subject-id
|
||||
attribute:urn:oasis:names:tc:xacml:1.0:subject:subject-id
|
||||
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:oasis:names:tc:xacml:1.0:subject:subject-id
|
||||
null
|
||||
|
||||
#standard resource-id
|
||||
attribute:urn:oasis:names:tc:xacml:1.0:resource:resource-id
|
||||
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:oasis:names:tc:xacml:1.0:resource:resource-id
|
||||
null
|
||||
|
||||
#currentlyClaimedTasks
|
||||
attribute:urn:custom:resource:cc-tasks
|
||||
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:custom:resource:cc-tasks
|
||||
null
|
||||
|
||||
#delegationCounter
|
||||
attribute:urn:custom:resource:delegationCounter
|
||||
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:custom:resource:delegationCounter
|
||||
null
|
||||
|
||||
#role (assigned to subject)
|
||||
attribute:urn:custom:subject:role
|
||||
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:custom:subject:role
|
||||
null
|
||||
|
||||
#if subject-id is treated as resource, e.g., if a role is assigned to a subject
|
||||
attribute:urn:custom:resource:subject-id
|
||||
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:custom:resource:subject-id
|
||||
null
|
||||
|
||||
#if role is treated as resource, e.g., if a role is assigned to a subject
|
||||
attribute:urn:custom:resource:role
|
||||
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:custom:resource:role
|
||||
null
|
||||
|
||||
#
|
||||
attribute:urn:runEx:subject:qualifications
|
||||
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:runEx:subject:qualifications
|
||||
null
|
||||
|
||||
attribute:urn:runEx:subject:departments
|
||||
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:runEx:subject:departments
|
||||
null
|
||||
|
||||
attribute:urn:custom:resource:creator
|
||||
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:custom:resource:creator
|
||||
null
|
||||
|
||||
attribute:urn:runEx:patient:treating-departments
|
||||
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:runEx:patient:treating-departments
|
||||
null
|
||||
|
||||
attribute:urn:runEx:patient:treating-subjects
|
||||
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:runEx:patient:treating-subjects
|
||||
null
|
||||
|
||||
attribute:urn:custom:svnPolicyVersion
|
||||
urn:oasis:names:tc:xacml:3.0:attribute-category:environment
|
||||
http://www.w3.org/2001/XMLSchema#integer
|
||||
urn:custom:svnPolicyVersion
|
||||
null
|
||||
|
||||
attribute:urn:activePolicies
|
||||
urn:oasis:names:tc:xacml:3.0:attribute-category:environment
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:activePolicies
|
||||
null
|
||||
|
||||
attribute:urn:resource:activePolicies
|
||||
urn:oasis:names:tc:xacml:3.0:attribute-category:resource
|
||||
http://www.w3.org/2001/XMLSchema#string
|
||||
urn:resource:activePolicies
|
||||
null
|
||||
|
||||
#
|
||||
# DEPENDENCIES
|
||||
#
|
||||
|
||||
# role assignment: to retrieve roles at runtime, resolve subject-id
|
||||
dependency:urn:runEx:role:assignment
|
||||
urn:custom:subject:role -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
|
||||
urn:custom:subject:role -> urn:custom:resource:role
|
||||
urn:oasis:names:tc:xacml:1.0:subject:subject-id -> urn:custom:resource:subject-id
|
||||
|
||||
# activation of policies: no dependent attributes
|
||||
dependency:urn:runEx:activePolicies
|
||||
urn:activePolicies -> null
|
||||
urn:activePolicies -> urn:resource:activePolicies
|
||||
|
||||
#breakGlassState:urn:breakGlass:patient-subjDep
|
||||
#urn:breakGlass:patient-subjDep -> urn:runEx:subject:departments, todo:patientid
|
||||
|
||||
#dependency:urn:custom:subject:role -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
|
||||
#dependency:urn:runEx:subject:qualifications -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
|
||||
#dependency:urn:runEx:subject:departments -> urn:oasis:names:tc:xacml:1.0:subject:subject-id
|
||||
#dependency:urn:custom:resource:creator -> urn:oasis:names:tc:xacml:1.0:resource:resource-id
|
||||
#dependency:urn:runEx:patient:treating-departments ->
|
||||
#dependency:
|
|
@ -0,0 +1,79 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
|
||||
import junit.framework.Test;
|
||||
import junit.framework.TestSuite;
|
||||
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
public class PDPStateManagementFoo {
|
||||
|
||||
|
||||
private static PDPStateManagementFoo pdpStateMgt;
|
||||
|
||||
/**
|
||||
* @param args
|
||||
* @throws IOException
|
||||
* @throws FileNotFoundException
|
||||
* @throws InterruptedException
|
||||
*/
|
||||
public static void main(String[] args) throws FileNotFoundException, IOException, InterruptedException {
|
||||
|
||||
// Properties log4jProps = new Properties();
|
||||
// log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
// PropertyConfigurator.configure(log4jProps);
|
||||
//
|
||||
// pdpStateMgt = PDPStateManagement.getInstance();
|
||||
//
|
||||
// pdpStateMgt.addRole("Alice", "Nurse");
|
||||
// pdpStateMgt.addRole("Bob", "Doctor");
|
||||
// pdpStateMgt.addRole("Bob", "Nurse");
|
||||
// pdpStateMgt.addRole("Bob", "Admin");
|
||||
// printRoles("Bob");
|
||||
//
|
||||
// pdpStateMgt.removeRole("Bob", "Admin");
|
||||
//
|
||||
// printRoles("Bob");
|
||||
// printRoles("Alice");
|
||||
// pdpStateMgt.addRole("Bob", "Admin");
|
||||
//
|
||||
// printRoles("Bob");
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
private static void printRoles(String subjectId) {
|
||||
// List<String> roles = pdpStateMgt.getRoles(subjectId);
|
||||
// System.out.print("Roles of " + subjectId + ": ");
|
||||
// for (String role : roles) {
|
||||
// System.out.print(role + ", ");
|
||||
// }
|
||||
// System.out.println("");
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,209 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdpstate;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.BufferedOutputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.FileOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import com.sun.xacml.Constants;
|
||||
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeAssignment;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.AttributeType;
|
||||
import eu.aniketos.securebpmn.xacml.pdpstate.db.HibernateUtil;
|
||||
|
||||
|
||||
public class PDPStateStartup {
|
||||
|
||||
private static final Logger logger = Logger.getLogger(PDPStateStartup.class);
|
||||
|
||||
public static PDPState pdpState;
|
||||
|
||||
/**
|
||||
* @param args
|
||||
* @throws IOException
|
||||
* @throws FileNotFoundException
|
||||
*/
|
||||
public static void main(String[] args) throws FileNotFoundException, IOException {
|
||||
|
||||
|
||||
Properties log4jProps = new Properties();
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(new File("src/test/log4j.properties"))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
|
||||
|
||||
copyConfForTest();
|
||||
|
||||
pdpState = PDPState.getInstance();
|
||||
|
||||
//HibernateUtil hUtil = pdpState.getHibernateUtil();
|
||||
List<String> values;
|
||||
|
||||
//checkRoleAttrType(hUtil);
|
||||
//checkRoleAttrType(hUtil);
|
||||
|
||||
addRoleAssignment("alice", "Nurse");
|
||||
addRoleAssignment("dave", "Doctor");
|
||||
addRoleAssignment("dave", "Nurse");
|
||||
addSubjectDepartment("alice", "Interne");
|
||||
addSubjectDepartment("dave", "Chirurgie");
|
||||
|
||||
//pdpState.test();
|
||||
|
||||
values = getRoles("alice");
|
||||
System.out.print("roles for alice: ");
|
||||
for ( String value : values) {
|
||||
System.out.print(value + ", ");
|
||||
}
|
||||
System.out.println("");
|
||||
|
||||
|
||||
values = getRoles("dave");
|
||||
System.out.print("roles for dave: ");
|
||||
for ( String value : values) {
|
||||
System.out.print(value + ", ");
|
||||
}
|
||||
System.out.println("");
|
||||
|
||||
|
||||
addDummyAssignment("val1", "key1_1", "key2_1");
|
||||
addDummyAssignment("val2", "key1_1", "key2_1");
|
||||
|
||||
addDummyAssignment("val3", "key1_2", "key2_1");
|
||||
addDummyAssignment("val4", "key1_1", "key2_2");
|
||||
|
||||
|
||||
values = getDummyAssignment("key1_2", "key2_1");
|
||||
System.out.print("dummy assignment for key1_1/key2_1: ");
|
||||
for ( String value : values) {
|
||||
System.out.print(value + ", ");
|
||||
}
|
||||
|
||||
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
|
||||
contextAttrs.add(new AuthoAttribute(subjetIdentifier, "alice"));
|
||||
//return pdpState.getAttribute(roleIdentifier, contextAttrs)
|
||||
|
||||
List<Long> assigns = pdpState.getAssignmentIds(roleIdentifier, "Nurse", contextAttrs, new Date(), new Date());
|
||||
for ( Long id : assigns ) {
|
||||
System.out.println("assigned id " + id);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* checks if the role assignment is already defined => subject-roles requiring subject-id
|
||||
* @param hUtil
|
||||
*/
|
||||
public static void checkRoleAttrType(HibernateUtil hUtil) {
|
||||
logger.debug("Create role AttrId");
|
||||
|
||||
AttributeIdentifier roleId = new AttributeIdentifier(Constants.SUBJECT_CAT, URI.create("subject-roles"), TypeIdentifierConstants.STRING_URI, null);
|
||||
|
||||
AttributeType attrType = hUtil.getAttributeType(roleId);
|
||||
if ( attrType != null ) {
|
||||
logger.debug("attrType role already exisits and has " + attrType.getCtxTypes().size() + " contextTypes");
|
||||
} else {
|
||||
List<AttributeIdentifier> contextAttrs = new Vector<AttributeIdentifier>();
|
||||
contextAttrs.add(new AttributeIdentifier(Constants.SUBJECT_CAT, Constants.SUBJECT_ID, TypeIdentifierConstants.STRING_URI, null));
|
||||
attrType = hUtil.addAttributeType(roleId, contextAttrs);
|
||||
logger.debug("added role");
|
||||
}
|
||||
|
||||
logger.debug("attrType role has id " + attrType.getId());
|
||||
}
|
||||
|
||||
public static AttributeIdentifier roleIdentifier = new AttributeIdentifier(Constants.SUBJECT_CAT, URI.create("subject-roles"), TypeIdentifierConstants.STRING_URI, null);
|
||||
public static AttributeIdentifier subjetIdentifier = new AttributeIdentifier(Constants.SUBJECT_CAT, Constants.SUBJECT_ID, TypeIdentifierConstants.STRING_URI, null);
|
||||
public static AttributeIdentifier subjDep = new AttributeIdentifier(Constants.SUBJECT_CAT, URI.create("department"), TypeIdentifierConstants.STRING_URI, null);
|
||||
public static AttributeIdentifier fooIdentifier = new AttributeIdentifier(Constants.SUBJECT_CAT, URI.create("foo"), TypeIdentifierConstants.STRING_URI, null);
|
||||
|
||||
|
||||
public static AttributeAssignment addRoleAssignment(String userId, String role) {
|
||||
|
||||
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
|
||||
contextAttrs.add(new AuthoAttribute(subjetIdentifier, userId));
|
||||
return pdpState.addAssignment(new AuthoAttribute(roleIdentifier, role), null, null, contextAttrs);
|
||||
}
|
||||
|
||||
public static List<String> getRoles(String userId) {
|
||||
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
|
||||
contextAttrs.add(new AuthoAttribute(subjetIdentifier, userId));
|
||||
return pdpState.getAttribute(roleIdentifier, contextAttrs);
|
||||
}
|
||||
|
||||
public static AttributeAssignment addSubjectDepartment(String userId, String role) {
|
||||
|
||||
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
|
||||
contextAttrs.add(new AuthoAttribute(subjetIdentifier, userId));
|
||||
return pdpState.addAssignment(new AuthoAttribute(subjDep, role), null, null, contextAttrs);
|
||||
}
|
||||
|
||||
public static AttributeAssignment addDummyAssignment(String foo, String bar, String baz) {
|
||||
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
|
||||
contextAttrs.add(new AuthoAttribute(roleIdentifier, bar));
|
||||
contextAttrs.add(new AuthoAttribute(subjDep, baz));
|
||||
return pdpState.addAssignment(new AuthoAttribute(subjetIdentifier, foo), null, null, contextAttrs);
|
||||
}
|
||||
|
||||
public static List<String> getDummyAssignment(String bar, String baz) {
|
||||
List<AuthoAttribute> contextAttrs = new Vector<AuthoAttribute>();
|
||||
contextAttrs.add(new AuthoAttribute(roleIdentifier, bar));
|
||||
contextAttrs.add(new AuthoAttribute(subjDep, baz));
|
||||
return pdpState.getAttribute(subjetIdentifier, contextAttrs);
|
||||
}
|
||||
|
||||
|
||||
public static void copyConfForTest() throws IOException {
|
||||
|
||||
BufferedInputStream bIS = new BufferedInputStream(new FileInputStream(new File("src/main/resources/hibernate.cfg.xml")));
|
||||
BufferedOutputStream bOS = new BufferedOutputStream(new FileOutputStream(new File("target/classes/hibernate.cfg.xml")));
|
||||
|
||||
byte[] buffer = new byte[4096];
|
||||
int read = -1;
|
||||
|
||||
while ( (read = bIS.read(buffer)) != -1 ) {
|
||||
bOS.write(buffer, 0, read);
|
||||
}
|
||||
bOS.flush();
|
||||
bOS.close();
|
||||
|
||||
|
||||
bIS = new BufferedInputStream(new FileInputStream(new File("src/main/resources/eu.aniketos.pdpState.xml")));
|
||||
bOS = new BufferedOutputStream(new FileOutputStream(new File("target/classes/eu.aniketos.pdpState.xml")));
|
||||
|
||||
while ( (read = bIS.read(buffer)) != -1 ) {
|
||||
bOS.write(buffer, 0, read);
|
||||
}
|
||||
bOS.flush();
|
||||
bOS.close();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
log4j.rootLogger=INFO, console
|
||||
|
||||
log4j.appender.logfile=org.apache.log4j.FileAppender
|
||||
log4j.appender.logfile.layout=org.apache.log4j.PatternLayout
|
||||
log4j.appender.logfile.layout.ConversionPattern=%d [%t] %-5p %c - %m%n
|
||||
log4j.appender.logfile.File=${catalina.base}/logs/pdp.log
|
||||
|
||||
log4j.appender.console=org.apache.log4j.ConsoleAppender
|
||||
log4j.appender.console.layout=org.apache.log4j.PatternLayout
|
||||
log4j.appender.console.layout.ConversionPattern=%-5p %c - %m%n
|
||||
|
||||
# %d [%t]
|
||||
|
||||
log4j.logger.eu.aniketos=DEBUG
|
||||
log4j.logger.com.sun.xacml=DEBUG
|
||||
|
||||
log4j.logger.org.apache.commons.httpclient.HttpMethodDirector=WARN
|
||||
|
||||
|
Reference in New Issue