Initital commit: Activiti integration.
This commit is contained in:
parent
d884ae13d8
commit
c78fa26a13
|
@ -121,6 +121,11 @@
|
||||||
<version>[3,)</version>
|
<version>[3,)</version>
|
||||||
<scope>runtime</scope>
|
<scope>runtime</scope>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.activiti</groupId>
|
||||||
|
<version>5.8</version>
|
||||||
|
<artifactId>activiti-engine</artifactId>
|
||||||
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</project>
|
</project>
|
||||||
<!-- dependency> <groupId>org.hibernate</groupId> <artifactId>hibernate</artifactId>
|
<!-- dependency> <groupId>org.hibernate</groupId> <artifactId>hibernate</artifactId>
|
||||||
|
|
|
@ -0,0 +1,570 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp.request.util;
|
||||||
|
|
||||||
|
import java.io.BufferedReader;
|
||||||
|
import java.io.BufferedWriter;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.FileReader;
|
||||||
|
import java.io.FileWriter;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.URI;
|
||||||
|
import java.net.URL;
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.Iterator;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Vector;
|
||||||
|
|
||||||
|
import org.activiti.engine.FormService;
|
||||||
|
import org.activiti.engine.HistoryService;
|
||||||
|
import org.activiti.engine.IdentityService;
|
||||||
|
import org.activiti.engine.ProcessEngines;
|
||||||
|
import org.activiti.engine.RepositoryService;
|
||||||
|
import org.activiti.engine.TaskService;
|
||||||
|
import org.activiti.engine.history.HistoricTaskInstance;
|
||||||
|
import org.activiti.engine.identity.Group;
|
||||||
|
import org.activiti.engine.repository.Deployment;
|
||||||
|
import org.activiti.engine.task.Event;
|
||||||
|
import org.activiti.engine.task.Task;
|
||||||
|
import org.activiti.explorer.ui.task.data.QueuedListQuery.SecurityCallback;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.autho.AuthoResult;
|
||||||
|
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||||
|
|
||||||
|
import com.sun.xacml.Constants;
|
||||||
|
import com.sun.xacml.ParsingException;
|
||||||
|
import com.sun.xacml.UnknownIdentifierException;
|
||||||
|
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Util-class for evaluating XACML-requests with inline PEP.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public class RequestUtil implements SecurityCallback {
|
||||||
|
|
||||||
|
protected PDPServer pdpServer;
|
||||||
|
protected TaskService taskService;
|
||||||
|
protected IdentityService identityService;
|
||||||
|
protected HistoryService historyService;
|
||||||
|
protected FormService formService;
|
||||||
|
protected RepositoryService repositoryService;
|
||||||
|
protected List<String> currentlyClaimedTasks;
|
||||||
|
protected List<org.activiti.engine.task.Event> taskEvents;
|
||||||
|
protected URL configURL;
|
||||||
|
|
||||||
|
public RequestUtil() {
|
||||||
|
// System.out.println("\nCalling RequestUtil\n");
|
||||||
|
try {
|
||||||
|
configURL = this.getClass().getClassLoader()
|
||||||
|
.getResource("policy-config.xml");
|
||||||
|
pdpServer = new PDPServer(new File(configURL.getFile()));
|
||||||
|
|
||||||
|
taskService = ProcessEngines.getDefaultProcessEngine()
|
||||||
|
.getTaskService();
|
||||||
|
identityService = ProcessEngines.getDefaultProcessEngine()
|
||||||
|
.getIdentityService();
|
||||||
|
historyService = ProcessEngines.getDefaultProcessEngine()
|
||||||
|
.getHistoryService();
|
||||||
|
formService = ProcessEngines.getDefaultProcessEngine()
|
||||||
|
.getFormService();
|
||||||
|
repositoryService = ProcessEngines.getDefaultProcessEngine()
|
||||||
|
.getRepositoryService();
|
||||||
|
currentlyClaimedTasks = new ArrayList<String>();
|
||||||
|
taskEvents = new ArrayList<org.activiti.engine.task.Event>();
|
||||||
|
|
||||||
|
} catch (FileNotFoundException e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
} catch (ParsingException e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
} catch (UnknownIdentifierException e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Inline PEP. <br>
|
||||||
|
* Handles the RBAC- and SoD-enforcement<br>
|
||||||
|
* Creates a request with additional {@link AuthoAttribute}s which is then
|
||||||
|
* evaluated by the {@link PDPServer}.
|
||||||
|
*
|
||||||
|
*
|
||||||
|
* @param taskId
|
||||||
|
* the task to be claimed
|
||||||
|
* @param userId
|
||||||
|
* the current user
|
||||||
|
*/
|
||||||
|
public boolean securityCheck(String taskId, String userId) {
|
||||||
|
updatePolicyConfig();
|
||||||
|
// catch empty checks
|
||||||
|
if (taskId == null || userId == null) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
|
||||||
|
// System.out.println("UserID: " + userId);
|
||||||
|
|
||||||
|
// get the resource
|
||||||
|
Task task = taskService.createTaskQuery().taskId(taskId).singleResult();
|
||||||
|
String resource = task.getTaskDefinitionKey();
|
||||||
|
|
||||||
|
// System.out.println("Resourcename: " + resource);
|
||||||
|
|
||||||
|
// add the role-attributes
|
||||||
|
List<Group> groups = identityService.createGroupQuery()
|
||||||
|
.groupMember(userId).list();
|
||||||
|
|
||||||
|
for (Iterator<Group> iterator = groups.iterator(); iterator.hasNext();) {
|
||||||
|
Group group = (Group) iterator.next();
|
||||||
|
|
||||||
|
// System.out.println("Rolename: " + group.getName().toLowerCase());
|
||||||
|
|
||||||
|
attributes.add(new AuthoAttribute(Constants.SUBJECT_CAT, URI
|
||||||
|
.create("urn:custom:subject:role"),
|
||||||
|
TypeIdentifierConstants.STRING_URI, group.getName()
|
||||||
|
.toLowerCase()));
|
||||||
|
}
|
||||||
|
|
||||||
|
// List of all tasks currently assigned to the logged in user in the
|
||||||
|
// current process instance and get their Ids for a match
|
||||||
|
List<Task> t = taskService.createTaskQuery()
|
||||||
|
.processDefinitionId(task.getProcessDefinitionId())
|
||||||
|
.taskAssignee(userId).list();
|
||||||
|
List<HistoricTaskInstance> hti = historyService
|
||||||
|
.createHistoricTaskInstanceQuery()
|
||||||
|
.processDefinitionId(task.getProcessDefinitionId())
|
||||||
|
.taskAssignee(userId).list();
|
||||||
|
for (Iterator<HistoricTaskInstance> iterator = hti.iterator(); iterator
|
||||||
|
.hasNext();) {
|
||||||
|
HistoricTaskInstance historicTaskInstance = (HistoricTaskInstance) iterator
|
||||||
|
.next();
|
||||||
|
if (!currentlyClaimedTasks.contains(historicTaskInstance
|
||||||
|
.getTaskDefinitionKey())) {
|
||||||
|
currentlyClaimedTasks.add(historicTaskInstance
|
||||||
|
.getTaskDefinitionKey());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for (Iterator<Task> iterator = t.iterator(); iterator.hasNext();) {
|
||||||
|
Task task2 = (Task) iterator.next();
|
||||||
|
if (!currentlyClaimedTasks.contains(task2.getTaskDefinitionKey())) {
|
||||||
|
currentlyClaimedTasks.add(task2.getTaskDefinitionKey());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// add the tasks for the evaluation
|
||||||
|
for (Iterator<String> iterator = currentlyClaimedTasks.iterator(); iterator
|
||||||
|
.hasNext();) {
|
||||||
|
String claimedTaskName = (String) iterator.next();
|
||||||
|
|
||||||
|
// System.out.println("ClaimedTaskName: " + claimedTaskName);
|
||||||
|
|
||||||
|
attributes.add(new AuthoAttribute(Constants.RESOURCE_CAT, URI
|
||||||
|
.create("urn:custom:resource:cc-tasks"),
|
||||||
|
TypeIdentifierConstants.STRING_URI, claimedTaskName));
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO hardcoded action!
|
||||||
|
try {
|
||||||
|
final String action = "Full Access";
|
||||||
|
|
||||||
|
// the evaluation call
|
||||||
|
AuthoResult result = pdpServer.evaluate(new IdInfo(userId),
|
||||||
|
resource, action, attributes);
|
||||||
|
|
||||||
|
System.out.println("RESPONSE: " + result.toString());
|
||||||
|
System.out.println(result.getDecision().getMessage());
|
||||||
|
|
||||||
|
if (result.getDecision().getMessage().equals("Permit")) {
|
||||||
|
/*
|
||||||
|
* for (Iterator<AuthoAttribute> iterator =
|
||||||
|
* attributes.iterator(); iterator .hasNext();) { AuthoAttribute
|
||||||
|
* authoAttribute = (AuthoAttribute) iterator .next();
|
||||||
|
*
|
||||||
|
* System.out.println("Request was: " + userId + " : " +
|
||||||
|
* resource + " : " + action + " : " +
|
||||||
|
* authoAttribute.getValue()); }
|
||||||
|
*/
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (result.getDecision().getMessage().equals("NotApplicable")) {
|
||||||
|
/*
|
||||||
|
* for (Iterator<AuthoAttribute> iterator =
|
||||||
|
* attributes.iterator(); iterator .hasNext();) { AuthoAttribute
|
||||||
|
* authoAttribute = (AuthoAttribute) iterator .next();
|
||||||
|
*
|
||||||
|
* System.out.println("Request was: " + userId + " : " +
|
||||||
|
* resource + " : " + action + " : " +
|
||||||
|
* authoAttribute.getValue()); }
|
||||||
|
*/
|
||||||
|
}
|
||||||
|
|
||||||
|
} catch (SecurityError e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Inline PEP. <br>
|
||||||
|
* Handles the Delegation-enforcement<br>
|
||||||
|
* Creates a request with additional {@link AuthoAttribute}s which is then
|
||||||
|
* evaluated by the {@link PDPServer}.
|
||||||
|
*
|
||||||
|
* @param taskId
|
||||||
|
* the task to be delegated
|
||||||
|
* @param userId
|
||||||
|
* the user to be checked
|
||||||
|
*/
|
||||||
|
public boolean delegationCheck(String taskId, String userId) {
|
||||||
|
// check the delegationdepth against maxdelegationdepth
|
||||||
|
|
||||||
|
List<AuthoAttribute> attributes = new Vector<AuthoAttribute>();
|
||||||
|
|
||||||
|
// System.out.println("UserID: " + userId);
|
||||||
|
|
||||||
|
// get the resource
|
||||||
|
Task task = taskService.createTaskQuery().taskId(taskId).singleResult();
|
||||||
|
String resource = task.getTaskDefinitionKey();
|
||||||
|
|
||||||
|
// System.out.println("Resourcename: " + resource);
|
||||||
|
|
||||||
|
// List of all tasks currently assigned to the logged in user in the
|
||||||
|
// current process instance and get their Ids for a match
|
||||||
|
List<Task> t = taskService.createTaskQuery()
|
||||||
|
.processDefinitionId(task.getProcessDefinitionId())
|
||||||
|
.taskAssignee(userId).list();
|
||||||
|
List<HistoricTaskInstance> hti = historyService
|
||||||
|
.createHistoricTaskInstanceQuery()
|
||||||
|
.processDefinitionId(task.getProcessDefinitionId())
|
||||||
|
.taskAssignee(userId).list();
|
||||||
|
for (Iterator<HistoricTaskInstance> iterator = hti.iterator(); iterator
|
||||||
|
.hasNext();) {
|
||||||
|
HistoricTaskInstance historicTaskInstance = (HistoricTaskInstance) iterator
|
||||||
|
.next();
|
||||||
|
if (!currentlyClaimedTasks.contains(historicTaskInstance
|
||||||
|
.getTaskDefinitionKey())) {
|
||||||
|
currentlyClaimedTasks.add(historicTaskInstance
|
||||||
|
.getTaskDefinitionKey());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for (Iterator<Task> iterator = t.iterator(); iterator.hasNext();) {
|
||||||
|
Task task2 = (Task) iterator.next();
|
||||||
|
if (!currentlyClaimedTasks.contains(task2.getTaskDefinitionKey())) {
|
||||||
|
currentlyClaimedTasks.add(task2.getTaskDefinitionKey());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// add the tasks for the evaluation
|
||||||
|
for (Iterator<String> iterator = currentlyClaimedTasks.iterator(); iterator
|
||||||
|
.hasNext();) {
|
||||||
|
String claimedTaskName = (String) iterator.next();
|
||||||
|
|
||||||
|
// System.out.println("ClaimedTaskName: " + claimedTaskName);
|
||||||
|
|
||||||
|
attributes.add(new AuthoAttribute(Constants.RESOURCE_CAT, URI
|
||||||
|
.create("urn:custom:resource:cc-tasks"),
|
||||||
|
TypeIdentifierConstants.STRING_URI, claimedTaskName));
|
||||||
|
}
|
||||||
|
|
||||||
|
// add the role-attributes
|
||||||
|
List<Group> groups = identityService.createGroupQuery()
|
||||||
|
.groupMember(userId).list();
|
||||||
|
|
||||||
|
for (Iterator<Group> iterator = groups.iterator(); iterator.hasNext();) {
|
||||||
|
Group group = (Group) iterator.next();
|
||||||
|
|
||||||
|
// System.out.println("Rolename: " + group.getName().toLowerCase());
|
||||||
|
|
||||||
|
attributes.add(new AuthoAttribute(Constants.SUBJECT_CAT, URI
|
||||||
|
.create("urn:custom:subject:role"),
|
||||||
|
TypeIdentifierConstants.STRING_URI, group.getName()
|
||||||
|
.toLowerCase()));
|
||||||
|
}
|
||||||
|
// add the delegatee-role
|
||||||
|
attributes.add(new AuthoAttribute(Constants.SUBJECT_CAT, URI
|
||||||
|
.create("urn:custom:subject:role"),
|
||||||
|
TypeIdentifierConstants.STRING_URI, "delegatee"));
|
||||||
|
|
||||||
|
// add attribute for each delegation of task, representing the
|
||||||
|
// delegation depth
|
||||||
|
String delegatedTo = "";
|
||||||
|
taskEvents = taskService.getTaskEvents(taskId);
|
||||||
|
for (final org.activiti.engine.task.Event event : taskEvents) {
|
||||||
|
if (!event.getUserId().equals(event.getMessageParts().get(0))
|
||||||
|
&& event.getAction().equals(Event.ACTION_ADD_USER_LINK)) {
|
||||||
|
delegatedTo = event.getMessageParts().get(0);
|
||||||
|
if (delegatedTo != null && delegatedTo != "") {
|
||||||
|
System.err.println("delegatedTo: " + delegatedTo);
|
||||||
|
attributes
|
||||||
|
.add(new AuthoAttribute(
|
||||||
|
Constants.RESOURCE_CAT,
|
||||||
|
URI.create("urn:custom:resource:delegationCounter"),
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
delegatedTo));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO hardcoded action !
|
||||||
|
final String action = "Full Access";
|
||||||
|
|
||||||
|
AuthoResult result;
|
||||||
|
try {
|
||||||
|
// the evaluation call
|
||||||
|
result = pdpServer.evaluate(new IdInfo(userId), resource, action,
|
||||||
|
attributes);
|
||||||
|
|
||||||
|
System.out.println("RESPONSE: " + result.toString());
|
||||||
|
System.out.println(result.getDecision().getMessage());
|
||||||
|
|
||||||
|
if (result.getDecision().getMessage().equals("Permit")) {
|
||||||
|
/*
|
||||||
|
* for (Iterator<AuthoAttribute> iterator =
|
||||||
|
* attributes.iterator(); iterator .hasNext();) { AuthoAttribute
|
||||||
|
* authoAttribute = (AuthoAttribute) iterator .next();
|
||||||
|
*
|
||||||
|
* System.out.println("Request was: " + userId + " : " +
|
||||||
|
* resource + " : " + action + " : " +
|
||||||
|
* authoAttribute.getValue()); }
|
||||||
|
*/
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (result.getDecision().getMessage().equals("Deny")) {
|
||||||
|
/*
|
||||||
|
* for (Iterator<AuthoAttribute> iterator =
|
||||||
|
* attributes.iterator(); iterator .hasNext();) { AuthoAttribute
|
||||||
|
* authoAttribute = (AuthoAttribute) iterator .next();
|
||||||
|
*
|
||||||
|
* System.out.println("Request was: " + userId + " : " +
|
||||||
|
* resource + " : " + action + " : " +
|
||||||
|
* authoAttribute.getValue()); }
|
||||||
|
*/
|
||||||
|
}
|
||||||
|
} catch (SecurityError e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Inline PEP. <br>
|
||||||
|
* Handles the Delegation-Type-Checks.<br>
|
||||||
|
* Creates a request with additional {@link AuthoAttribute}s which is then
|
||||||
|
* evaluated by the {@link PDPServer}.
|
||||||
|
*
|
||||||
|
* @param taskId
|
||||||
|
* the task to be checked
|
||||||
|
* @param userId
|
||||||
|
* the user to be checked
|
||||||
|
* @return a String representing the Type of allowed <code>Delegation</code>
|
||||||
|
*/
|
||||||
|
public String delegationTypeCheck(String taskId, String userId) {
|
||||||
|
|
||||||
|
List<AuthoAttribute> attributesForTransferTypeCheck = new Vector<AuthoAttribute>();
|
||||||
|
|
||||||
|
// get the resource
|
||||||
|
Task task = taskService.createTaskQuery().taskId(taskId).singleResult();
|
||||||
|
String resource = task.getTaskDefinitionKey();
|
||||||
|
|
||||||
|
// add the delegatee-role
|
||||||
|
attributesForTransferTypeCheck.add(new AuthoAttribute(
|
||||||
|
Constants.SUBJECT_CAT, URI.create("urn:custom:subject:role"),
|
||||||
|
TypeIdentifierConstants.STRING_URI, "delegatee"));
|
||||||
|
|
||||||
|
// add attribute for each delegation of task to represent the delegation
|
||||||
|
// depth
|
||||||
|
String delegatedTo = "";
|
||||||
|
taskEvents = taskService.getTaskEvents(taskId);
|
||||||
|
for (final org.activiti.engine.task.Event event : taskEvents) {
|
||||||
|
if (!event.getUserId().equals(event.getMessageParts().get(0))
|
||||||
|
&& event.getAction().equals(Event.ACTION_ADD_USER_LINK)) {
|
||||||
|
delegatedTo = event.getMessageParts().get(0);
|
||||||
|
if (delegatedTo != null && delegatedTo != "") {
|
||||||
|
System.err.println("delegatedTo: " + delegatedTo);
|
||||||
|
attributesForTransferTypeCheck
|
||||||
|
.add(new AuthoAttribute(
|
||||||
|
Constants.RESOURCE_CAT,
|
||||||
|
URI.create("urn:custom:resource:delegationCounter"),
|
||||||
|
TypeIdentifierConstants.STRING_URI,
|
||||||
|
delegatedTo));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO hardcoded action !
|
||||||
|
final String action = "Full Access";
|
||||||
|
|
||||||
|
AuthoResult resultTransferCheck;
|
||||||
|
AuthoResult resultSimpleCheck;
|
||||||
|
try {
|
||||||
|
// check for transfer-type
|
||||||
|
resultTransferCheck = pdpServer.evaluate(new IdInfo(userId),
|
||||||
|
resource, action, attributesForTransferTypeCheck);
|
||||||
|
|
||||||
|
System.out.println("RESPONSE: " + resultTransferCheck.toString());
|
||||||
|
System.out.println(resultTransferCheck.getDecision().getMessage());
|
||||||
|
|
||||||
|
if (resultTransferCheck.getDecision().getMessage().equals("Permit")) {
|
||||||
|
/*
|
||||||
|
* for (Iterator<AuthoAttribute> iterator =
|
||||||
|
* attributesForTransferTypeCheck.iterator(); iterator
|
||||||
|
* .hasNext();) { AuthoAttribute authoAttribute =
|
||||||
|
* (AuthoAttribute) iterator .next();
|
||||||
|
*
|
||||||
|
* System.out.println("Request was: " + userId + " : " +
|
||||||
|
* resource + " : " + action + " : " +
|
||||||
|
* authoAttribute.getValue()); }
|
||||||
|
*/
|
||||||
|
return "Transfer Delegation";
|
||||||
|
}
|
||||||
|
// check for simple-type
|
||||||
|
final String checkAction = "isSimpleDelegatable";
|
||||||
|
resultSimpleCheck = pdpServer.evaluate(new IdInfo(userId),
|
||||||
|
resource, checkAction, null);
|
||||||
|
|
||||||
|
if (resultSimpleCheck.getDecision().getMessage().equals("Permit")) {
|
||||||
|
return "Simple Delegation";
|
||||||
|
}
|
||||||
|
// check for negotiability
|
||||||
|
if (negotiableCheck(taskId, userId)) {
|
||||||
|
return "Return Delegation?";
|
||||||
|
}
|
||||||
|
|
||||||
|
} catch (SecurityError e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
// if all checks fail
|
||||||
|
return "No Delegation";
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Inline PEP. <br>
|
||||||
|
* Handles the Negotiable-Checks.<br>
|
||||||
|
* Creates a request which is then evaluated by the {@link PDPServer}.
|
||||||
|
*
|
||||||
|
* @param taskId
|
||||||
|
* the task to be checked
|
||||||
|
* @param userId
|
||||||
|
* the user to be checked
|
||||||
|
*/
|
||||||
|
public boolean negotiableCheck(String taskId, String userId) {
|
||||||
|
|
||||||
|
// on a returned delegation user is null but needs to be evaluated
|
||||||
|
if (userId == null) {
|
||||||
|
userId = "";
|
||||||
|
}
|
||||||
|
|
||||||
|
// get the resource
|
||||||
|
Task task = taskService.createTaskQuery().taskId(taskId).singleResult();
|
||||||
|
String resource = task.getTaskDefinitionKey();
|
||||||
|
|
||||||
|
final String action = "isNegotiable";
|
||||||
|
AuthoResult resultNegotiableCheck;
|
||||||
|
try {
|
||||||
|
// the evaluation call
|
||||||
|
resultNegotiableCheck = pdpServer.evaluate(new IdInfo(userId),
|
||||||
|
resource, action, null);
|
||||||
|
if (resultNegotiableCheck.getDecision().getMessage()
|
||||||
|
.equals("Permit")) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (resultNegotiableCheck.getDecision().getMessage().equals("Deny")) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
} catch (SecurityError e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void updatePolicyConfig() {
|
||||||
|
|
||||||
|
ArrayList<Deployment> deployments = new ArrayList<Deployment>();
|
||||||
|
ArrayList<String> deployedProcessNames = new ArrayList<String>();
|
||||||
|
ArrayList<String> stringsToWrite = new ArrayList<String>();
|
||||||
|
ArrayList<String> listToWrite = new ArrayList<String>();
|
||||||
|
|
||||||
|
deployments.addAll(repositoryService.createDeploymentQuery()
|
||||||
|
.orderByDeploymenTime().desc().list());
|
||||||
|
|
||||||
|
if (!deployments.isEmpty()) {
|
||||||
|
for (Iterator<Deployment> iterator = deployments.iterator(); iterator
|
||||||
|
.hasNext();) {
|
||||||
|
|
||||||
|
Deployment deployment = (Deployment) iterator.next();
|
||||||
|
String temp = deployment.getName();
|
||||||
|
String[] split = temp.split("\\.");
|
||||||
|
String policyName = "<string>file:" + split[0]
|
||||||
|
+ ".xacml</string>";
|
||||||
|
|
||||||
|
if (!deployedProcessNames.contains(policyName)) {
|
||||||
|
deployedProcessNames.add(policyName);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
BufferedReader reader = null;
|
||||||
|
BufferedWriter writer = null;
|
||||||
|
|
||||||
|
try {
|
||||||
|
reader = new BufferedReader(new FileReader(configURL.getFile()));
|
||||||
|
String tmp;
|
||||||
|
|
||||||
|
while ((tmp = reader.readLine()) != null) {
|
||||||
|
listToWrite.add(tmp);
|
||||||
|
}
|
||||||
|
for (Iterator<String> iterator = deployedProcessNames
|
||||||
|
.iterator(); iterator.hasNext();) {
|
||||||
|
String string = (String) iterator.next();
|
||||||
|
if (!listToWrite.contains(string)) {
|
||||||
|
stringsToWrite.add(string);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
reader.close();
|
||||||
|
|
||||||
|
reader = new BufferedReader(new FileReader(configURL.getFile()));
|
||||||
|
|
||||||
|
listToWrite.clear();
|
||||||
|
|
||||||
|
while ((tmp = reader.readLine()) != null) {
|
||||||
|
listToWrite.add(tmp);
|
||||||
|
if (tmp.contains("<list>")) {
|
||||||
|
listToWrite.addAll(stringsToWrite);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
reader.close();
|
||||||
|
|
||||||
|
writer = new BufferedWriter(new FileWriter(configURL.getFile()));
|
||||||
|
for (int i = 0; i < listToWrite.size(); i++)
|
||||||
|
writer.write(listToWrite.get(i) + "\r\n");
|
||||||
|
} catch (Exception e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
} finally {
|
||||||
|
try {
|
||||||
|
reader.close();
|
||||||
|
writer.close();
|
||||||
|
} catch (IOException e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1 @@
|
||||||
|
eu.aniketos.securebpmn.xacml.pdp.request.util.RequestUtil
|
|
@ -0,0 +1,64 @@
|
||||||
|
/* Copyright 2012-2015 SAP SE
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package eu.aniketos.securebpmn.xacml.pdp.activiti;
|
||||||
|
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
import eu.aniketos.securebpmn.xacml.pdp.PDPServer;
|
||||||
|
|
||||||
|
import com.sun.xacml.ConfigurationStore;
|
||||||
|
import com.sun.xacml.PDPConfig;
|
||||||
|
|
||||||
|
public class Integration__PDPRequest {
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void test() throws Exception {
|
||||||
|
ConfigurationStore config = new ConfigurationStore(new File("src/test/java/eu.aniketos.securebpmn.xacml/pdp/activiti/policy-config.xml"));
|
||||||
|
PDPConfig conf = config.getPDPConfig("pdp");
|
||||||
|
PDPServer pdp = new PDPServer(conf);
|
||||||
|
File requestFile = new File("src/test/java/eu.aniketos.securebpmn.xacml/pdp/activiti/request.xml");
|
||||||
|
String request = readRequestFromFile(requestFile);
|
||||||
|
String result = pdp.evaluateXACML(request);
|
||||||
|
System.out.println(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
private String readRequestFromFile(File requestFile)
|
||||||
|
throws FileNotFoundException, IOException {
|
||||||
|
final InputStream in = new FileInputStream(requestFile);
|
||||||
|
String request = null;
|
||||||
|
try {
|
||||||
|
StringBuilder builder = new StringBuilder();
|
||||||
|
final byte[] buffer = new byte[4096];
|
||||||
|
int len = -1;
|
||||||
|
while ((len = in.read(buffer)) != -1) {
|
||||||
|
byte[] buffer_ = new byte[len];
|
||||||
|
System.arraycopy(buffer, 0, buffer_, 0, len);
|
||||||
|
builder.append(new String(buffer_));
|
||||||
|
}
|
||||||
|
request = builder.toString();
|
||||||
|
} finally {
|
||||||
|
in.close();
|
||||||
|
}
|
||||||
|
return request;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,86 @@
|
||||||
|
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:schema:os" PolicySetId="testPolicySet" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable">
|
||||||
|
<Target>
|
||||||
|
<AnyOf>
|
||||||
|
<AllOf>
|
||||||
|
</AllOf>
|
||||||
|
</AnyOf>
|
||||||
|
</Target>
|
||||||
|
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:schema:os" PolicyId="policy_for_usertask1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
|
||||||
|
>
|
||||||
|
<Target>
|
||||||
|
<AnyOf>
|
||||||
|
<AllOf>
|
||||||
|
</AllOf>
|
||||||
|
</AnyOf>
|
||||||
|
</Target>
|
||||||
|
<Rule RuleId="rule_for_usertask1" Effect="Permit">
|
||||||
|
<Description>Action One</Description>
|
||||||
|
<Target>
|
||||||
|
<AnyOf>
|
||||||
|
<AllOf>
|
||||||
|
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Full Access</AttributeValue>
|
||||||
|
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||||
|
</Match>
|
||||||
|
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">usertask1</AttributeValue>
|
||||||
|
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
|
||||||
|
</Match>
|
||||||
|
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">accountancy</AttributeValue>
|
||||||
|
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:custom:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||||
|
</Match>
|
||||||
|
</AllOf>
|
||||||
|
</AnyOf>
|
||||||
|
</Target>
|
||||||
|
</Rule>
|
||||||
|
</Policy>
|
||||||
|
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:schema:os" PolicyId="policy_for_usertask2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
|
||||||
|
>
|
||||||
|
<Target>
|
||||||
|
<AnyOf>
|
||||||
|
<AllOf>
|
||||||
|
</AllOf>
|
||||||
|
</AnyOf>
|
||||||
|
</Target>
|
||||||
|
<Rule RuleId="rule_for_usertask2" Effect="Permit">
|
||||||
|
<Description>Action Two</Description>
|
||||||
|
<Target>
|
||||||
|
<AnyOf>
|
||||||
|
<AllOf>
|
||||||
|
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Full Access</AttributeValue>
|
||||||
|
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||||
|
</Match>
|
||||||
|
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">usertask2</AttributeValue>
|
||||||
|
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
|
||||||
|
</Match>
|
||||||
|
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">accountancy</AttributeValue>
|
||||||
|
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:custom:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
|
||||||
|
</Match>
|
||||||
|
</AllOf>
|
||||||
|
</AnyOf>
|
||||||
|
</Target>
|
||||||
|
</Rule>
|
||||||
|
</Policy>
|
||||||
|
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:schema:os" PolicyId="denyPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
|
||||||
|
>
|
||||||
|
<Target>
|
||||||
|
<AnyOf>
|
||||||
|
<AllOf>
|
||||||
|
</AllOf>
|
||||||
|
</AnyOf>
|
||||||
|
</Target>
|
||||||
|
<Rule RuleId="denyRule" Effect="Deny">
|
||||||
|
<Description>deny if no other Rule applies</Description>
|
||||||
|
<Target>
|
||||||
|
<AnyOf>
|
||||||
|
<AllOf>
|
||||||
|
</AllOf>
|
||||||
|
</AnyOf>
|
||||||
|
</Target>
|
||||||
|
</Rule>
|
||||||
|
</Policy>
|
||||||
|
</PolicySet>
|
|
@ -0,0 +1,21 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<config xmlns="http://sunxacml.sourceforge.net/schema/config-0.3"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
defaultPDP="pdp" defaultAttributeFactory="attr"
|
||||||
|
defaultCombiningAlgFactory="comb" defaultFunctionFactory="func">
|
||||||
|
<pdp name="pdp">
|
||||||
|
<attributeFinderModule class="com.sun.xacml.finder.impl.SelectorModule"/>
|
||||||
|
<attributeFinderModule class="com.sun.xacml.finder.impl.CurrentEnvModule"/>
|
||||||
|
<policyFinderModule class="com.sun.xacml.support.finder.FilePolicyModule">
|
||||||
|
<list>
|
||||||
|
<string>file:TravelApproval.xacml</string>
|
||||||
|
<string>conf:useLines:true</string>
|
||||||
|
</list>
|
||||||
|
</policyFinderModule>
|
||||||
|
</pdp>
|
||||||
|
<attributeFactory name="attr" useStandardDatatypes="true">
|
||||||
|
<datatype identifier="urn:type:evaluationId" class="eu.aniketos.securebpmn.xacml.xacml.attr.proxy.EvaluationIdAttributeProxy"/>
|
||||||
|
</attributeFactory>
|
||||||
|
<combiningAlgFactory name="comb" useStandardAlgorithms="true"/>
|
||||||
|
<functionFactory name="func" useStandardFunctions="true"/>
|
||||||
|
</config>
|
|
@ -0,0 +1,20 @@
|
||||||
|
<Request xmlns="urn:oasis:names:tc:xacml:3.0:schema:os">
|
||||||
|
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
|
||||||
|
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">kermit</AttributeValue>
|
||||||
|
</Attribute>
|
||||||
|
<Attribute AttributeId="urn:custom:subject:role">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">accountancy</AttributeValue>
|
||||||
|
</Attribute>
|
||||||
|
</Attributes>
|
||||||
|
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
|
||||||
|
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Full Access</AttributeValue>
|
||||||
|
</Attribute>
|
||||||
|
</Attributes>
|
||||||
|
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
|
||||||
|
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">
|
||||||
|
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">usertask1</AttributeValue>
|
||||||
|
</Attribute>
|
||||||
|
</Attributes>
|
||||||
|
</Request>
|
Reference in New Issue