From 998a7eb2e131ce8ac13c412de4a0bbe15af0accc Mon Sep 17 00:00:00 2001 From: "Achim D. Brucker" Date: Sun, 31 May 2015 11:09:17 +0200 Subject: [PATCH] Initial commit. --- src/eu.aniketos.securebpmn.xacml.api/pom.xml | 76 ++++++ .../pom_pdpwsdl_gen.xml | 61 +++++ .../eu/aniketos/securebpmn/api/ErrorType.java | 29 +++ .../aniketos/securebpmn/api/ReasonType.java | 39 ++++ .../securebpmn/api/SecurityError.java | 199 ++++++++++++++++ .../api/autho/AttributeIdentifier.java | 99 ++++++++ .../securebpmn/api/autho/AuthoAttribute.java | 83 +++++++ .../securebpmn/api/autho/AuthoInfo.java | 46 ++++ .../securebpmn/api/autho/AuthoObligation.java | 56 +++++ .../securebpmn/api/autho/AuthoResult.java | 155 +++++++++++++ .../securebpmn/api/autho/Decision.java | 52 +++++ .../api/autho/DesignatorAttribute.java | 75 ++++++ .../securebpmn/api/autho/IAuthoManager.java | 24 ++ .../api/autho/IContextProvider.java | 36 +++ .../api/autho/IObligationService.java | 28 +++ .../aniketos/securebpmn/api/autho/IPDP.java | 42 ++++ .../securebpmn/api/autho/IPDPManagement.java | 37 +++ .../api/autho/IPDPStateManagement.java | 35 +++ .../aniketos/securebpmn/api/idm/AuthInfo.java | 63 +++++ .../securebpmn/api/idm/IIDProvider.java | 38 +++ .../api/idm/IIDProviderFactory.java | 23 ++ .../securebpmn/api/idm/IIDProviderProxy.java | 26 +++ .../securebpmn/api/idm/ITicketProvider.java | 55 +++++ .../api/idm/ITicketProviderFactory.java | 22 ++ .../aniketos/securebpmn/api/idm/IdInfo.java | 94 ++++++++ .../api/log/AccessControlRequest.java | 216 ++++++++++++++++++ .../securebpmn/api/log/EventNotification.java | 59 +++++ .../securebpmn/api/log/ILogStore.java | 42 ++++ .../aniketos/securebpmn/api/log/LogEntry.java | 49 ++++ .../api/pep/IObligationContext.java | 22 ++ .../eu/aniketos/securebpmn/api/pep/IPEP.java | 29 +++ .../securebpmn/api/pep/IPEPProxy.java | 22 ++ .../securebpmn/xacml/api/AppTest.java | 53 +++++ .../pom.xml | 1 + 34 files changed, 1986 insertions(+) create mode 100644 src/eu.aniketos.securebpmn.xacml.api/pom.xml create mode 100644 src/eu.aniketos.securebpmn.xacml.api/pom_pdpwsdl_gen.xml create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/ErrorType.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/ReasonType.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/SecurityError.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AttributeIdentifier.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoAttribute.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoInfo.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoObligation.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoResult.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/Decision.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/DesignatorAttribute.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IAuthoManager.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IContextProvider.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IObligationService.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDP.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDPManagement.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDPStateManagement.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/AuthInfo.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProvider.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProviderFactory.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProviderProxy.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/ITicketProvider.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/ITicketProviderFactory.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IdInfo.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/AccessControlRequest.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/EventNotification.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/ILogStore.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/LogEntry.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IObligationContext.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IPEP.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IPEPProxy.java create mode 100644 src/eu.aniketos.securebpmn.xacml.api/src/test/java/eu/aniketos/securebpmn/xacml/api/AppTest.java diff --git a/src/eu.aniketos.securebpmn.xacml.api/pom.xml b/src/eu.aniketos.securebpmn.xacml.api/pom.xml new file mode 100644 index 0000000..e64f04c --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/pom.xml @@ -0,0 +1,76 @@ + + + 4.0.0 + + eu.aniketos.securebpmn.xacml + eu.aniketos.securebpmn.xacml.parent + 1.0 + ../eu.aniketos.securebpmn.xacml.parent/pom.xml + + eu.aniketos.securebpmn.xacml.api + 0.1 + jar + SecureBPMN XACML - Core API + http://maven.apache.org + + 2.5.1 + UTF-8 + + + ${artifactId} + + + + org.apache.maven.plugins + maven-compiler-plugin + + 1.5 + 1.5 + + + + + org.apache.cxf + cxf-java2ws-plugin + + ${cxf-version} + + + org.apache.cxf + cxf-rt-frontend-jaxws + + ${cxf-version} + + + org.apache.cxf + cxf-rt-frontend-simple + + ${cxf-version} + + + + + process-classes + process-classes + + eu.aniketos.securebpmn.xacml.api.autho.IPDP + true + true + + + java2ws + + + + + + + + + junit + junit + [4.8,) + test + + + diff --git a/src/eu.aniketos.securebpmn.xacml.api/pom_pdpwsdl_gen.xml b/src/eu.aniketos.securebpmn.xacml.api/pom_pdpwsdl_gen.xml new file mode 100644 index 0000000..6ec1462 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/pom_pdpwsdl_gen.xml @@ -0,0 +1,61 @@ + + + 4.0.0 + + eu.aniketos.securebpmn.xacml + eu.aniketos.securebpmn.xacml.parent + 1.0 + ../eu.aniketos.securebpmn.xacml.parent/pom.xml + + pdp-wsdlclient + jar + 0.1 + pdp + http://maven.apache.org + + ${artifactId} + target/generated/cxf/src + target/generated/cxf/bin + + + + org.apache.maven.plugins + maven-compiler-plugin + + 1.5 + 1.5 + + + + + org.apache.cxf + cxf-codegen-plugin + + + generate-sources + generate-sources + + ${project.build.directory}/generated/cxf/src + + + ${project.build.directory}/generated/wsdl/IPDP.wsdl + + + + + wsdl2java + + + + + + + + + junit + junit + 3.8.1 + test + + + diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/ErrorType.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/ErrorType.java new file mode 100644 index 0000000..c078f5f --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/ErrorType.java @@ -0,0 +1,29 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api; + +import javax.xml.bind.annotation.XmlType; + +/** + * + * Defines the main type of the SecurityError + */ +@XmlType(namespace="http://aniketos.eu/") +public enum ErrorType { + AUTHENTICATION_FAILED, + AUTHORIZATION_FAILED, + CONFIGURATION_ERROR +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/ReasonType.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/ReasonType.java new file mode 100644 index 0000000..83df134 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/ReasonType.java @@ -0,0 +1,39 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api; + +import javax.xml.bind.annotation.XmlType; + +/** + * Defines a more detailed reason for the error + * + */ +@XmlType(namespace="http://aniketos.eu/") +public enum ReasonType { + SSO_ENGINE_ERROR, + MISSING_CAS_TICKET, + MISSING_USER, + INVALID_CAS_TICKET, + INVALID_USERNAME_PASSWORD, + CAS_TICKET_WRONG_SERVICE, + + INVALID_PARAMETERS, + PDE_ENGINE_ERROR, + BREAK_GLASS, + UNDEFINED_POLICY, + INVALID_XACML, + DENY +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/SecurityError.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/SecurityError.java new file mode 100644 index 0000000..aad3f99 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/SecurityError.java @@ -0,0 +1,199 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api; + +import javax.xml.ws.WebFault; + + +@WebFault(targetNamespace="aniketos.eu/") //, name="SecurityError" name="eu.aniketos.SecurityError", faultBean="eu.aniketos.SecurityError +public class SecurityError extends Exception { + + private static final long serialVersionUID = 1031874369988364332L; + + protected ErrorType error; + protected ReasonType reason; + + protected String message; + + protected long evaluationId; + + private static final String[] error_messages = { + "Authentication failed", + "Authorization failed", + "Configuration error" + }; + + + private static final String[] reason_messages = { + "SSO Engine error", + "Missing Security Token", + "Missing authenticated user", + "Invalid Security Token", + "Invalid Username or Password", + "Security Token not valid for requested service", + + "Invalid parameters", + "PDE Engine error", + "Access requires break-glass", + "No policy defined for requested resource", + "Invalid XACML Defintion", + "User is not permitted to access the requested resource" + }; + + /** + * Creating a new SecurityError, message is generated from error and reason + * + * @param error + * @param reason + */ + public SecurityError(ErrorType error, ReasonType reason) { + super(generateMessage(error, reason)); + this.message = super.getMessage(); + this.error = error; + this.reason = reason; + } + + /** + * Creating a new SecurityError, message is generated from error and reason, enhanced with additionalMessage + * + * @param error + * @param reason + * @param additionalMessage + */ + public SecurityError(ErrorType error, ReasonType reason, String additionalMessage) { + super(generateMessage(error, reason, additionalMessage)); + this.message = super.getMessage(); + this.error = error; + this.reason = reason; + } + + /** + * Creating a new SecurityError, message is generated from error and reason + * + * @param error + * @param reason + * @param exception + */ + public SecurityError(ErrorType error, ReasonType reason, Throwable exception) { + super(generateMessage(error, reason), exception); + this.message = super.getMessage(); + this.error = error; + this.reason = reason; + } + /** + * Creating a new SecurityError, message is generated from error and reason, enhanced with additionalMessage + * + * @param error + * @param reason + * @param additionalMessage + * @param exception + */ + public SecurityError(ErrorType error, ReasonType reason, String additionalMessage, Throwable exception) { + super(generateMessage(error, reason, additionalMessage), exception); + this.message = super.getMessage(); + this.error = error; + this.reason = reason; + } + + /** + * Creating a new Security Error with a free defined message. Should only be used to create a new SecurityError in Proxies, wrapping a received error + * @param message + * @param error + * @param reason + */ + public SecurityError(String message, ErrorType error, ReasonType reason) { + super(message); + this.message = super.getMessage(); + this.error = error; + this.reason = reason; + } + + /** + * returns the main error type for this SecurityError + * + * @return + */ + public ErrorType getError() { + return error; + } + /** + * should not be used to create a new message; is required for web service interfaces + * @param error + */ + public void setError(ErrorType error) { + this.error = error; + } + + /** + * returns the more detailed reason for this SecurityError + * + * @return + */ + public ReasonType getReason() { + return reason; + } + + /** + * should not be used to create a new message; is required for web service interfaces + * @param reason + */ + public void setReason(ReasonType reason) { + this.reason = reason; + } + + @Override + public String getMessage() { + return this.message; + } + + /** + * DO NOT USE! Required for SCA + * @param message + */ + public void setMessage(String message) { + //required for SCA? i.e., finding "message" as attribute with getters and setters + this.message = message; + } + + public long getEvaluationId() { + return evaluationId; + } + + public void setEvaluationId(long evaluationId) { + this.evaluationId = evaluationId; + } + + +// /** +// * DO NOT USE! Required for SCA +// * +// */ +// public SecurityError() { +// +// } + + + + private static String generateMessage(ErrorType error, ReasonType reason) { + return error_messages[error.ordinal()] + ": " + reason_messages[reason.ordinal()]; + + } + + private static String generateMessage(ErrorType error, ReasonType reason, String additionalMessage) { + return generateMessage(error, reason) + " (" + additionalMessage + ")"; + } + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AttributeIdentifier.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AttributeIdentifier.java new file mode 100644 index 0000000..cf31b0a --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AttributeIdentifier.java @@ -0,0 +1,99 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import java.net.URI; + + +/** + * + * Allows to identify attributes by its defining URIs, e.g., as key for hash tables + *
+ * As attributes within xacml cannot be uniquely identified using their java objects, this + * class can be used as such a unique identification + * + */ +public class AttributeIdentifier { + + protected URI category, attributeType, attributeId, issuer; + + public AttributeIdentifier(URI category, URI attributeType, URI attributeId, URI issuer) { + if ( category == null || attributeId == null || attributeType == null ) { + throw new RuntimeException("category, type and ID must not be null!"); + } + this.category = category; + this.attributeType = attributeType; + this.attributeId = attributeId; + this.issuer = issuer; + } + + + public AttributeIdentifier() { + //needed for web service stuff.. should not be used otherwise + } + + + @Override + public int hashCode() { + if ( issuer == null ) { + return category.hashCode() + attributeId.hashCode() + attributeType.hashCode(); + } else { + return category.hashCode() + attributeId.hashCode() + attributeType.hashCode() + issuer.hashCode(); + } + + } + + @Override + public boolean equals(Object o) { + if ( o instanceof AttributeIdentifier) { + AttributeIdentifier a = (AttributeIdentifier) o; + if ( this.category.equals(a.category) && + this.attributeType.equals(a.attributeType) && + this.attributeId.equals(a.attributeId) && + ((this.issuer == null && a.issuer == null) || this.issuer.equals(a.issuer))) { + return true; + } else { + return false; + } + + } else { + return false; + } + } + + + @Override + public String toString() { + return "[category]" + category + "[category];[type]" + attributeType + "[type];[id]" + attributeId + "[id];[issuer]" + issuer + "[issuer]"; + } + + + public URI getCategory() { + return category; + } + + public URI getAttributeType() { + return attributeType; + } + + public URI getAttributeId() { + return attributeId; + } + + public URI getIssuer() { + return issuer; + } +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoAttribute.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoAttribute.java new file mode 100644 index 0000000..16a4206 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoAttribute.java @@ -0,0 +1,83 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import java.net.URI; + +import javax.xml.bind.annotation.XmlType; + +@XmlType(namespace="http://aniketos.eu/autho") +public class AuthoAttribute { + + public static final URI OBLIGATION_CATEGORY = URI.create("urn:category:obligation"); + + enum STATUS { + MISSING, + RESOLVED, + RESOLUTION_ERROR + } + private Long id; + + protected AttributeIdentifier attrId; + protected String value; + + protected boolean underRevision; + + //TODO save, if -) within initial request -) requested through + public static final int INITIAL_REQUST = 0x1, ATTR_RESOLVER = 0x2; + + + + public AuthoAttribute() { + // needed for web service stuff + } + + public AuthoAttribute(AttributeIdentifier attrId, String value) { + this.attrId = attrId; + this.value = value; + } + + + + public AuthoAttribute(URI categoryId, URI attributeId, URI dataType, String value) { + this.attrId = new AttributeIdentifier(categoryId, dataType, attributeId, null); + this.value = value; + } + + public AttributeIdentifier getAttributeIdentifier() { + return this.attrId; + } + + public void setAttributeIdentifier(AttributeIdentifier attrId) { + this.attrId = attrId; + } + + public String getValue() { + return value; + } + + public void setValue(String value) { + this.value = value; + } + + public void setId(Long id) { + this.id = id; + } + + public Long getId() { + return id; + } +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoInfo.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoInfo.java new file mode 100644 index 0000000..8a80c0a --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoInfo.java @@ -0,0 +1,46 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import java.util.List; + +import eu.aniketos.securebpmn.api.idm.IdInfo; + +public class AuthoInfo extends IdInfo { + + public AuthoInfo() { + + } + + public AuthoInfo(IdInfo idInfo) { + super(idInfo); //TODO copy arguments + } + + //List of attributes assigned to the user, e.g., roles, etc. + //for usual, this information is obtained by the IDM + protected List userAttributes; + + protected String IDManager; + + + +// String getProxyGrantingTicket(); +// String getAuthenticatedUser(); +// SecurityError getException(); +// boolean hasError(); +// ErrorType getError(); +// ReasonType getReason(); +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoObligation.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoObligation.java new file mode 100644 index 0000000..2bcf702 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoObligation.java @@ -0,0 +1,56 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import java.net.URI; +import java.util.Collection; + +import javax.xml.bind.annotation.XmlType; + +@XmlType(namespace="http://aniketos.eu/autho") +public class AuthoObligation { + + private Long id; + private String type; + private Collection parameters; + + public AuthoObligation() { + + } + + public AuthoObligation(URI type) { + this.type = type.toString(); + } + + public Long getId() { + return id; + } + public void setId(Long id) { + this.id = id; + } + public String getType() { + return type; + } + public void setType(String type) { + this.type = type; + } + public Collection getParameters() { + return parameters; + } + public void setParameters(Collection parameters) { + this.parameters = parameters; + } +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoResult.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoResult.java new file mode 100644 index 0000000..4e5afb2 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/AuthoResult.java @@ -0,0 +1,155 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import java.util.List; + +import javax.xml.bind.annotation.XmlType; + +import eu.aniketos.securebpmn.api.idm.IdInfo; + +@XmlType(namespace="http://eu.aniketos/autho") +public class AuthoResult { + +// public enum DECISION { +// DECISION_PERMIT, +// DECISION_DENY, +// DECISION_INDETERMINATE, +// DECISION_NOT_APPLICABLE, +// INVALID_DECISION; +// +// private String[] messages = { "Permit", "Deny", +// "Indeterminate", +// "NotApplicable", "Invalid" }; +// +// public String getMessage() { +// return messages[this.ordinal()]; +// } +// +// public static DECISION getFromInt(int decision) { +// switch (decision) { +// case 0: +// return DECISION_PERMIT; +// case 1: +// return DECISION_DENY; +// case 2: +// return DECISION_INDETERMINATE; +// case 3: +// return DECISION_NOT_APPLICABLE; +// case 5: +// return INVALID_DECISION; +// } +// return null; +// } +// } + + private Long evaluationId; + + private Long id; + + /** + * The user for which the evaluation was done. Especially needed, if the + * pep provides the raw AuthInfo to the PDP + */ + private IdInfo idInfo; + + private Decision decision; + + + + private List statusCode; + + private String statusMessage; + + private List missingAttributes; + + private List obligations; + + public String toString() { + StringBuffer buff =new StringBuffer(decision.toString()); + buff.append(", statusCodes: "); + for (String code : statusCode) { + buff.append(code); buff.append(", "); + } + buff.append(", statusMessage: "); buff.append(statusMessage); + buff.append(" obligations: "); buff.append(obligations == null ? "null" : obligations.size()); + return buff.toString(); + } + + public IdInfo getIdInfo() { + return idInfo; + } + + public void setIdInfo(IdInfo idInfo) { + this.idInfo = idInfo; + } + + public Decision getDecision() { + return decision; + } + + public void setDecision(Decision decision) { + this.decision = decision; + } + + public List getMissingAttributes() { + return missingAttributes; + } + + public void setMissingAttributes(List missingAttributes) { + this.missingAttributes = missingAttributes; + } + + public List getObligations() { + return obligations; + } + + public void setObligations(List obligations) { + this.obligations = obligations; + } + + public void setEvaluationId(Long evaluationId) { + this.evaluationId = evaluationId; + } + + public Long getEvaluationId() { + return evaluationId; + } + + public void setId(Long id) { + this.id = id; + } + + public Long getId() { + return id; + } + + public List getStatusCode() { + return statusCode; + } + + public void setStatusCode(List statusCode) { + this.statusCode = statusCode; + } + + public String getStatusMessage() { + return statusMessage; + } + + public void setStatusMessage(String statusMessage) { + this.statusMessage = statusMessage; + } +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/Decision.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/Decision.java new file mode 100644 index 0000000..967b943 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/Decision.java @@ -0,0 +1,52 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import javax.xml.bind.annotation.XmlType; + +@XmlType(namespace="http://aniketos.eu/autho") +public enum Decision { + DECISION_PERMIT, + DECISION_DENY, + DECISION_INDETERMINATE, + DECISION_NOT_APPLICABLE, + INVALID_DECISION; + + private String[] messages = { "Permit", "Deny", + "Indeterminate", + "NotApplicable", "Invalid" }; + + public String getMessage() { + return messages[this.ordinal()]; + } + + public static Decision getFromInt(int decision) { + switch (decision) { + case 0: + return DECISION_PERMIT; + case 1: + return DECISION_DENY; + case 2: + return DECISION_INDETERMINATE; + case 3: + return DECISION_NOT_APPLICABLE; + case 5: + return INVALID_DECISION; + } + return null; + } + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/DesignatorAttribute.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/DesignatorAttribute.java new file mode 100644 index 0000000..ed27a40 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/DesignatorAttribute.java @@ -0,0 +1,75 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import java.net.URI; +import java.util.List; +import java.util.Vector; + +/** + * + * Attribtues resolved at runtime by the com.sun.xacml.attr.AttributeDesignator + * + */ +public class DesignatorAttribute { + + protected AttributeIdentifier attrId; + + + protected List values; + + public DesignatorAttribute(AttributeIdentifier attrId) { + this.attrId = attrId; + } + + public DesignatorAttribute(URI attributeId, URI dataType, URI categoryId) { + this.attrId = new AttributeIdentifier(categoryId, dataType, attributeId, null); + } + + public AttributeIdentifier getAttrId() { + return attrId; + } + + public void setAttrId(AttributeIdentifier attrId) { + this.attrId = attrId; + } + + public List getValues() { + return values; + } + public void setValues(List values) { + this.values = values; + } + + public void addBagValue(String bagValue) { + if ( values == null ) { + values = new Vector(); + } + values.add(bagValue); + } + + public List getBagValues() { + return this.values; + } + + public boolean isSingleValue() { + return values!= null && values.size() == 1 ? true : false; + } + + public boolean isEmptyValue() { + return values == null ? true : false; + } +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IAuthoManager.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IAuthoManager.java new file mode 100644 index 0000000..294a4e9 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IAuthoManager.java @@ -0,0 +1,24 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import eu.aniketos.securebpmn.api.idm.IdInfo; + +public interface IAuthoManager { + + AuthoInfo getIdentityInformation(IdInfo idInfo); + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IContextProvider.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IContextProvider.java new file mode 100644 index 0000000..c20986c --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IContextProvider.java @@ -0,0 +1,36 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import java.util.List; + +public interface IContextProvider { + /** + * resolves one attribute + * + * writes the result to attr and returns it as string + * + * @param attr + * @return + */ + String resolveAttribute(AuthoAttribute attr); + /** + * resolves a set of attributes, returns number of errors + * @param attr + * @return + */ + int resolveAttributes(List attr); +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IObligationService.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IObligationService.java new file mode 100644 index 0000000..e253c53 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IObligationService.java @@ -0,0 +1,28 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import java.util.List; + +public interface IObligationService { + + public boolean supportsObligation(AuthoObligation obligation); + + public boolean fulfillObligation(AuthoObligation obligation); + + public boolean fulfillObligation(List obligation); + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDP.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDP.java new file mode 100644 index 0000000..a10881e --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDP.java @@ -0,0 +1,42 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import java.util.List; + +import javax.jws.WebParam; +import javax.jws.WebService; + +import eu.aniketos.securebpmn.api.SecurityError; +import eu.aniketos.securebpmn.api.idm.IdInfo; + +@WebService(targetNamespace="aniketos.eu/autho") +public interface IPDP { + + String evaluateXACML(@WebParam(name="xacmlRequ")String xacmlRequest) throws SecurityError; + + AuthoResult evaluate(@WebParam(name="idInfo") IdInfo idInfo, + @WebParam(name="resource") String resource, + @WebParam(name="action")String action, + @WebParam(name="attributes") List attributes) throws SecurityError; + + String getXACMLPEPConfig(); + + boolean logBreakGlassAccess(@WebParam(name="evaluationId") long evaluationId, @WebParam(name="justification") String justification); + + void notifyStateChange(@WebParam(name="evaluationId") long evaluationId) throws SecurityError; + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDPManagement.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDPManagement.java new file mode 100644 index 0000000..1da4a19 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDPManagement.java @@ -0,0 +1,37 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import java.util.List; + +public interface IPDPManagement { + + long loadPolicyVersion(long version); + + boolean setEmergencyLeve(long level, boolean active); + + // role management + List getRoles(String userId); + + void addRole(String userId, String role); + + void removeRole(String userId, String role); + + + //patient - physician relationship + +} + \ No newline at end of file diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDPStateManagement.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDPStateManagement.java new file mode 100644 index 0000000..6881f8a --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/autho/IPDPStateManagement.java @@ -0,0 +1,35 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.autho; + +import eu.aniketos.securebpmn.api.SecurityError; +import eu.aniketos.securebpmn.api.log.AccessControlRequest; + +/** + * + * This interface allows the PDP to pass an access control request + * to the PDP State module and update the pdp state according to the + * executed action + * + */ +public interface IPDPStateManagement { + /** + * update the PDPState according to the access control request + * @param execRequest + */ + void updatePDPState(AccessControlRequest execRequest) throws SecurityError; + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/AuthInfo.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/AuthInfo.java new file mode 100644 index 0000000..efc6d7d --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/AuthInfo.java @@ -0,0 +1,63 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.idm; + + +/** + * contains (technology neutral) authentication information information, e.g., + *
    + *
  • SAML Token
    • + *
  • CAS Token
    • + *
  • OpenID Token
    • + *
+ * + */ +public class AuthInfo { + protected String authProviderId; + protected String token; + protected IdInfo idInfo; + + public AuthInfo() { + + } + + public AuthInfo(String authProviderId, String token) { + this.authProviderId = authProviderId; + this.token = token; + } + + protected AuthInfo(IdInfo idInfo) { + this.idInfo = idInfo; + } + + public String getAuthProviderId() { + return authProviderId; + } + + public void setAuthProviderId(String authProviderId) { + this.authProviderId = authProviderId; + } + + public String getToken() { + return token; + } + + public void setToken(String token) { + this.token = token; + } + + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProvider.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProvider.java new file mode 100644 index 0000000..bae2700 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProvider.java @@ -0,0 +1,38 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.idm; + +/** + * + * Resovles the AuthInfo with aim of a ID Provider + * + * + */ +public interface IIDProvider { + /** + * Resolved the AuthInfo t + * + * @param authInfo + * @return + */ + IdInfo authenticate(AuthInfo authInfo); + + boolean isValidInfo(String info); + + AuthInfo createAuthInfo(String info); + + String getProviderID(); +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProviderFactory.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProviderFactory.java new file mode 100644 index 0000000..eb0ef1e --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProviderFactory.java @@ -0,0 +1,23 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.idm; + +import java.net.URL; + +public interface IIDProviderFactory { + IIDProvider getClient(URL casServer, URL service); + IIDProviderProxy getProxyClient(URL casServer, URL service); +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProviderProxy.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProviderProxy.java new file mode 100644 index 0000000..c52cbb1 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IIDProviderProxy.java @@ -0,0 +1,26 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.idm; + +import java.net.URL; + +public interface IIDProviderProxy extends IIDProvider { + + IdInfo authenticate(AuthInfo authInfo, boolean proxy); + + String getProxyTicket(IdInfo idInfo, URL targetService); + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/ITicketProvider.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/ITicketProvider.java new file mode 100644 index 0000000..1a9bf09 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/ITicketProvider.java @@ -0,0 +1,55 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.idm; + +import java.net.URL; + +import eu.aniketos.securebpmn.api.SecurityError; + +public interface ITicketProvider { + /** + * This method logs in at the SSO Engine (i.e., the CAS Server) + *
+ * In case of any error (e.g., ConnectException, IOException) which result out of an + * incorrect infrastructure, this functions returns null, which signals "not logged in" + * + * @param username used to login at the SSO Engine (i.e., CAS Server) + * @param password used to login at the SSO Engine (i.e., CAS Server) + * @return the value of the Ticket Granting Cookie. CAUTION If the return value is null, + * the login has not been successful, it has to be called login again! + */ + public String login(String username, String password) throws SecurityError; + + /** + * This function is used for every (Web Service) Call that is done in the SoKNOS system, as for each of these + * call a Service Ticket (CAS Ticket) is required. + * + * @param service The URL of the service for which the service ticket is required + * @return + * @throws InvalidCASTicketException This exception is thrown, if there is no valid CAS Ticket available (i.e., + * the user is not logged in or the CAS session expired, etc.) + */ + public AuthInfo getServiceTicket(URL service) throws SecurityError; + + /** + * Invalidates any existing active session. If no active session is available, no error is thrown. If + * this function is called, for further getServiceTicket() calls a (re)login is required + * + * @return true, if logout has been successful or no active session was found and false, + * if any error occured (e.g., network error) + */ + public boolean logout(); +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/ITicketProviderFactory.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/ITicketProviderFactory.java new file mode 100644 index 0000000..9a01ad5 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/ITicketProviderFactory.java @@ -0,0 +1,22 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.idm; + +import java.net.URL; + +public interface ITicketProviderFactory { + ITicketProvider getTicketProvider(URL idProvder); +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IdInfo.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IdInfo.java new file mode 100644 index 0000000..0756c73 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/idm/IdInfo.java @@ -0,0 +1,94 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.idm; + +import java.util.List; + +import javax.xml.bind.annotation.XmlType; + +/** + * + * Contains authentication information (ID Provider) and authorization + * relevant information (identity management) about the user + * + */ +@XmlType(namespace="http://idm.aniketos.eu/") +public class IdInfo { + + + + //the resolved userID + protected String userId; // Required + + //ID Provider which was used to resolve the userID + protected String IdProvider; // Required + + //List of services which are in the call chain to the current instance + protected List callChain; // Optional, technology dependant, e.g., CAS + + public IdInfo(String userId) { + this.userId = userId; + } + + + public IdInfo(String userId, String IdProvider, List callChaind) { + this.userId = userId; + this.IdProvider = IdProvider; + this.callChain = callChaind; + } + + protected IdInfo(IdInfo copy) { + this.userId = copy.userId; + this.IdProvider = copy.IdProvider; + this.callChain = copy.callChain; + } + + protected IdInfo() { + + } + + + public String getUserId() { + return userId; + } + + + public void setUserId(String userId) { + this.userId = userId; + } + + + public String getIdProvider() { + return IdProvider; + } + + + public void setIdProvider(String idProvider) { + IdProvider = idProvider; + } + + + public List getCallChain() { + return callChain; + } + + + public void setCallChain(List callChain) { + this.callChain = callChain; + } + + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/AccessControlRequest.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/AccessControlRequest.java new file mode 100644 index 0000000..4aba7a7 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/AccessControlRequest.java @@ -0,0 +1,216 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.log; + +import java.net.URI; +import java.util.Collection; +import java.util.Date; +import java.util.List; + +import eu.aniketos.securebpmn.api.autho.AuthoAttribute; +import eu.aniketos.securebpmn.api.autho.AuthoObligation; +import eu.aniketos.securebpmn.api.autho.AuthoResult; +import eu.aniketos.securebpmn.api.autho.DesignatorAttribute; +import eu.aniketos.securebpmn.api.idm.IdInfo; + +public class AccessControlRequest extends LogEntry { + + private Long evaluationId; + private long policyVersion; + private Date execTime; + + //request part + private IdInfo idInfo; + private URI resource; + private String action; + + private Collection attributes; + + //RequestCtx + private Object request; + private String xacmlRequest; + + + private AuthoResult result; + private List obligations; + + private List designAttrs; + + //ResponseCtx + private Object response; + private String xacmlResponse; + + + private long duration; + private String errorMessage; + + public AccessControlRequest() { + super(null, Log_Type.ACCESS_REQUEST); + } + + public AccessControlRequest(Long evaluationId, String xacmlRequest) { + super(new Date(), Log_Type.ACCESS_REQUEST); + this.evaluationId = evaluationId; + this.xacmlRequest = xacmlRequest; + } + + public AccessControlRequest(Long evaluationId, IdInfo idInfo, + URI resource, String action, List attributes) { + super(new Date(), Log_Type.ACCESS_REQUEST); + this.evaluationId = evaluationId; + this.idInfo = idInfo; + this.resource = resource; + this.action = action; + this.attributes = attributes; + } + + public void finished(Object request, Object response, String xacmlResponse, + Date execTime, long policyVersion, + List designAttrs) { + duration = new Date().getTime() - getArrival().getTime(); + this.setRequest(request); + this.setResponse(response); + this.execTime = execTime; + this.policyVersion = policyVersion; + this.xacmlResponse = xacmlResponse; + this.designAttrs = designAttrs; + } + + public void finished(Object request, Object response, AuthoResult result, + Date execTime, long policyVersion, + List designAttrs) { + duration = new Date().getTime() - getArrival().getTime(); + this.setRequest(request); + this.setResponse(response); + this.execTime = execTime; + this.policyVersion = policyVersion; + this.result = result; + this.designAttrs = designAttrs; + } + + + + + public Long getEvaluationId() { + return evaluationId; + } + public void setEvaluationId(Long evaluationId) { + this.evaluationId = evaluationId; + } + public String getXacmlRequest() { + return xacmlRequest; + } + public void setXacmlRequest(String xacmlRequest) { + this.xacmlRequest = xacmlRequest; + } + public URI getResource() { + return resource; + } + public void setResource(URI resource) { + this.resource = resource; + } + public String getAction() { + return action; + } + public void setAction(String action) { + this.action = action; + } + public Collection getAttributes() { + return attributes; + } + public void setAttributes(Collection attributes) { + this.attributes = attributes; + } + public AuthoResult getResult() { + return result; + } + public void setResult(AuthoResult result) { + this.result = result; + } + public long getDuration() { + return duration; + } + public void setDuration(long duration) { + this.duration = duration; + } + public void setErrorMessage(String errorMessage) { + this.errorMessage = errorMessage; + } + public String getErrorMessage() { + return errorMessage; + } + public void setXacmlResponse(String xacmlResponse) { + this.xacmlResponse = xacmlResponse; + } + public String getXacmlResponse() { + return xacmlResponse; + } + public void setObligations(List obligations) { + this.obligations = obligations; + } + public List getObligations() { + return obligations; + } + + public void setPolicyVersion(long policyVersion) { + this.policyVersion = policyVersion; + } + + public long getPolicyVersion() { + return policyVersion; + } + + public void setRequest(Object request) { + this.request = request; + } + + public Object getRequest() { + return request; + } + + public void setResponse(Object response) { + this.response = response; + } + + public Object getResponse() { + return response; + } + + public List getDesignatorAttributes() { + return this.designAttrs; + } + + public void setDesignatorAttributes(List designAttrs) { + this.designAttrs = designAttrs; + } + + public IdInfo getIdInfo() { + return idInfo; + } + + public void setIdInfo(IdInfo idInfo) { + this.idInfo = idInfo; + } + + public Date getExecTime() { + return execTime; + } + + public void setExecTime(Date execTime) { + this.execTime = execTime; + } + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/EventNotification.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/EventNotification.java new file mode 100644 index 0000000..783fe0c --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/EventNotification.java @@ -0,0 +1,59 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.log; + +import java.util.Date; + +public class EventNotification extends LogEntry { + + protected EventNotification(Date arrival, Log_Type type) { + super(arrival, type); + } + + private Long id; + + private Long evaluationId; + private Log_Type type; + private String message; + + + public Long getEvaluationId() { + return evaluationId; + } + public void setEvaluationId(Long evaluationId) { + this.evaluationId = evaluationId; + } + public Log_Type getType() { + return type; + } + public void setType(Log_Type type) { + this.type = type; + } + public String getMessage() { + return message; + } + public void setMessage(String message) { + this.message = message; + } + public void setId(Long id) { + this.id = id; + } + public Long getId() { + return id; + } + + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/ILogStore.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/ILogStore.java new file mode 100644 index 0000000..81967fa --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/ILogStore.java @@ -0,0 +1,42 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.log; + + + +public interface ILogStore { + /** + * store the provided AccessControlRequest to the log store; + * this function should not block and return immediately, i.e., + * the request should be put on a queue and handled by another + * thread + * @param requ + */ + void storeAccessControlRequest(AccessControlRequest requ); + + boolean logBreakGlassAccess(); + + boolean shutdown(); + + /** + * returns a new unique ID; this ID should be used to create a new + * AccessControlRequest + * @return + */ + Long getNewEvaluationId(); + + AccessControlRequest getAccessControlRequest(Long evaluationId); +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/LogEntry.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/LogEntry.java new file mode 100644 index 0000000..dec60a8 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/log/LogEntry.java @@ -0,0 +1,49 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.log; + +import java.util.Date; + +public abstract class LogEntry { + + public enum Log_Type { + ACCESS_REQUEST, + BREAK_GLASS + } + + protected LogEntry(Date arrival, Log_Type type) { + this.arrival = arrival; + this.type = type; + } + + private Date arrival; +// private byte[] chkSum; +// +// private Long previous; + + private Log_Type type; + + public Date getArrival() { + return arrival; + } + public void setArrival(Date arrival) { + this.arrival = arrival; + } + + public Log_Type getLogtype() { + return type; + } +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IObligationContext.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IObligationContext.java new file mode 100644 index 0000000..ba01bd2 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IObligationContext.java @@ -0,0 +1,22 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.pep; + +import eu.aniketos.securebpmn.api.autho.AuthoObligation; + +public interface IObligationContext { + public void fulfill(AuthoObligation obligation); +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IPEP.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IPEP.java new file mode 100644 index 0000000..9ea94b3 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IPEP.java @@ -0,0 +1,29 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.pep; + +import java.util.List; + +import eu.aniketos.securebpmn.api.autho.AuthoAttribute; +import eu.aniketos.securebpmn.api.idm.IdInfo; + +public interface IPEP { + + boolean authorized(String subjectId, String resource, String action, List ctxAttrs); + + boolean authorized(IdInfo idInfo, String resource, String action, List ctxAttrs); + +} \ No newline at end of file diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IPEPProxy.java b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IPEPProxy.java new file mode 100644 index 0000000..da44a5e --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/main/java/eu/aniketos/securebpmn/api/pep/IPEPProxy.java @@ -0,0 +1,22 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.api.pep; + +import eu.aniketos.securebpmn.api.idm.IIDProviderProxy; + +public interface IPEPProxy extends IIDProviderProxy { + +} diff --git a/src/eu.aniketos.securebpmn.xacml.api/src/test/java/eu/aniketos/securebpmn/xacml/api/AppTest.java b/src/eu.aniketos.securebpmn.xacml.api/src/test/java/eu/aniketos/securebpmn/xacml/api/AppTest.java new file mode 100644 index 0000000..3c3b1f2 --- /dev/null +++ b/src/eu.aniketos.securebpmn.xacml.api/src/test/java/eu/aniketos/securebpmn/xacml/api/AppTest.java @@ -0,0 +1,53 @@ +/* Copyright 2012-2015 SAP SE + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package eu.aniketos.securebpmn.xacml.api; + +import junit.framework.Test; +import junit.framework.TestCase; +import junit.framework.TestSuite; + +/** + * Unit test for simple App. + */ +public class AppTest + extends TestCase +{ + /** + * Create the test case + * + * @param testName name of the test case + */ + public AppTest( String testName ) + { + super( testName ); + } + + /** + * @return the suite of tests being tested + */ + public static Test suite() + { + return new TestSuite( AppTest.class ); + } + + /** + * Rigourous Test :-) + */ + public void testApp() + { + assertTrue( true ); + } +} diff --git a/src/eu.aniketos.securebpmn.xacml.parent/pom.xml b/src/eu.aniketos.securebpmn.xacml.parent/pom.xml index 1a40d7a..ccf1b5e 100644 --- a/src/eu.aniketos.securebpmn.xacml.parent/pom.xml +++ b/src/eu.aniketos.securebpmn.xacml.parent/pom.xml @@ -12,6 +12,7 @@ ../com.sun.xacml ../com.sun.xacml.support + ../eu.aniketos.securebpmn.xacml.api