endentityprofileauthorizationproxy.java

一套JAVA的CA证书签发系统.

/*************************************************************************
 *                                                                       *
 *  EJBCA: The OpenSource Certificate Authority                          *
 *                                                                       *
 *  This software is free software; you can redistribute it and/or       *
 *  modify it under the terms of the GNU Lesser General Public           *
 *  License as published by the Free Software Foundation; either         *
 *  version 2.1 of the License, or any later version.                    *
 *                                                                       *
 *  See terms of license at gnu.org.                                     *
 *                                                                       *
 *************************************************************************/
 
package se.anatom.ejbca.authorization;

import java.util.HashMap;
import java.io.Serializable;
import java.rmi.RemoteException;

import se.anatom.ejbca.log.Admin;
import javax.ejb.*;
import javax.naming.*;

import se.anatom.ejbca.log.ILogSessionRemote;
import se.anatom.ejbca.log.ILogSessionHome;
import se.anatom.ejbca.log.LogEntry;

/**
 * A class used to improve performance by proxying a users end entity profile authorization minimizing the need of traversing
 * trough the authorization tree and rmi lookups. It's use should only be within short time to avoid desyncronisation.
 *
 * @author  TomSelleck
 */
public class EndEntityProfileAuthorizationProxy implements Serializable {

    // Public Constants.
    /* Constants specifying the kind user access rights to look for, */
    public static final String VIEW_RIGHTS           = AvailableAccessRules.VIEW_RIGHTS;
    public static final String EDIT_RIGHTS           = AvailableAccessRules.EDIT_RIGHTS;
    public static final String CREATE_RIGHTS         = AvailableAccessRules.CREATE_RIGHTS;
    public static final String DELETE_RIGHTS         = AvailableAccessRules.DELETE_RIGHTS;
    public static final String REVOKE_RIGHTS         = AvailableAccessRules.REVOKE_RIGHTS;
    public static final String HISTORY_RIGHTS        = AvailableAccessRules.HISTORY_RIGHTS;
    public static final String HARDTOKEN_VIEW_RIGHTS = AvailableAccessRules.HARDTOKEN_RIGHTS;
    public static final String KEYRECOVERY_RIGHTS    = AvailableAccessRules.KEYRECOVERY_RIGHTS;    
    
    /** Creates a new instance of ProfileAuthorizationProxy. */
    public EndEntityProfileAuthorizationProxy(IAuthorizationSessionRemote authorizationsession) {
              // Get the RaAdminSession instance.
       profileauthstore = new HashMap();
       this.local=false;
       this.authorizationsessionremote = authorizationsession;
    }

    public EndEntityProfileAuthorizationProxy(IAuthorizationSessionLocal authorizationsession) {
              // Get the RaAdminSession instance.
       profileauthstore = new HashMap();
       this.local=true;
       this.authorizationsessionlocal = authorizationsession;
    }


    /**
     * Method that first tries to authorize a users profile right in local hashmap and if it doesn't exists looks it up over RMI.
     *
     * @param profileid the profile to look up.
     * @param rights which profile rights to look for.
     * @return the profilename or null if no profilename is relatied to the given id
     */
    public boolean getEndEntityProfileAuthorization(Admin admin, int profileid, String rights, int module) throws RemoteException {
      return isAuthorized(admin,profileid,rights,true,module);
    }

    /**
     * Method that first tries to authorize a users profile right in local hashmap and if it doesn't exists looks it up over RMI, without
     * performing any logging.
     *
     *
     * @param profileid the profile to look up.
     * @param rights which profile rights to look for.
     * @return the profilename or null if no profilename is relatied to the given id
     */
    public boolean getEndEntityProfileAuthorizationNoLog(Admin admin, int profileid, String rights) throws RemoteException {
      return isAuthorized(admin,profileid,rights,false, 0);
    }

    // Private Methods
    public boolean isAuthorized(Admin admin, int profileid, String rights, boolean log, int module) throws RemoteException {
      Boolean returnval = null;
      String resource= null;
      String adm = null;
      
      
      if(admin.getAdminInformation().isSpecialUser()){
        adm = Integer.toString(admin.getAdminInformation().getSpecialUser());
        // TODO Fix
        return true;
      }
      else
        adm = new String(admin.getAdminInformation().getX509Certificate().getSignature());
      resource = adm + AvailableAccessRules.ENDENTITYPROFILEPREFIX+Integer.toString(profileid)+rights;
        // Check if name is in hashmap
      returnval = (Boolean) profileauthstore.get(resource);

      if(returnval != null && log){
        if(returnval.booleanValue()){
            getLogSessionBean().log(admin, admin.getCAId(), module, new java.util.Date(),null, null, LogEntry.EVENT_INFO_AUTHORIZEDTORESOURCE,
                                    "Resource : " + AvailableAccessRules.ENDENTITYPROFILEPREFIX+Integer.toString(profileid)+rights);
        }else{
            getLogSessionBean().log(admin, admin.getCAId(), module, new java.util.Date(),null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,
                                    "Resource : " + AvailableAccessRules.ENDENTITYPROFILEPREFIX+Integer.toString(profileid)+rights);
        }
      }

      if(returnval==null){
        // Retreive profilename over RMI
        try{
          if(local){
            if(log)
              authorizationsessionlocal.isAuthorized(admin, AvailableAccessRules.ENDENTITYPROFILEPREFIX+Integer.toString(profileid)+rights);
            else
              authorizationsessionlocal.isAuthorizedNoLog(admin, AvailableAccessRules.ENDENTITYPROFILEPREFIX+Integer.toString(profileid)+rights);
          }else{
            if(log)
              authorizationsessionremote.isAuthorized(admin, AvailableAccessRules.ENDENTITYPROFILEPREFIX+Integer.toString(profileid)+rights);
            else
              authorizationsessionremote.isAuthorizedNoLog(admin, AvailableAccessRules.ENDENTITYPROFILEPREFIX+Integer.toString(profileid)+rights);
          }
          returnval = Boolean.TRUE;
        }catch(AuthorizationDeniedException e){
          returnval = Boolean.FALSE;
        }
        profileauthstore.put(resource,returnval);
      }

      return returnval.booleanValue();
    }

    private ILogSessionRemote getLogSessionBean() throws RemoteException {
      if(logsession == null){
        try{
          jndicontext = new InitialContext();
          ILogSessionHome logsessionhome = (ILogSessionHome) javax.rmi.PortableRemoteObject.narrow(jndicontext.lookup("LogSession"),ILogSessionHome.class);
          logsession = logsessionhome.create();
        }catch(Exception e){
           throw new EJBException(e.getMessage());
        }
      }
      return logsession;
    }

    // Private fields.
    private boolean                     local = false;
    private InitialContext              jndicontext;
    private HashMap                     profileauthstore;
    private IAuthorizationSessionRemote authorizationsessionremote;
    private IAuthorizationSessionLocal  authorizationsessionlocal;
    private ILogSessionRemote           logsession;

}