basicaccessrulesetencoder.java

一套JAVA的CA证书签发系统.

/*************************************************************************
 *                                                                       *
 *  EJBCA: The OpenSource Certificate Authority                          *
 *                                                                       *
 *  This software is free software; you can redistribute it and/or       *
 *  modify it under the terms of the GNU Lesser General Public           *
 *  License as published by the Free Software Foundation; either         *
 *  version 2.1 of the License, or any later version.                    *
 *                                                                       *
 *  See terms of license at gnu.org.                                     *
 *                                                                       *
 *************************************************************************/
 
package se.anatom.ejbca.authorization;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;

/**
 * A class used as a help class for displaying and configuring basic access rules
 *
 * @author  herrvendil 
 * @version $Id: BasicAccessRuleSetEncoder.java,v 1.5 2004/04/16 07:38:57 anatom Exp $
 */
public class BasicAccessRuleSetEncoder implements java.io.Serializable {

	private boolean forceadvanced = false;
		
	private int currentrole = BasicAccessRuleSet.ROLE_NONE;
	private Collection availableroles = new ArrayList();
	private HashSet currentcas = new HashSet();
	private HashSet availablecas = new HashSet();
	private HashSet currentendentityrules = new HashSet();
	private ArrayList availableendentityrules = new ArrayList();
	private HashSet currentendentityprofiles = new HashSet();
	private HashSet availableendentityprofiles = new HashSet();
	private HashSet currentotherrules = new HashSet();
	private ArrayList availableotherrules = new ArrayList();
    
    /**
     * Tries to encode a advanced ruleset into basic ones. 
     * Sets the forceadvanced flag if encoding isn't possible.
     */
    public BasicAccessRuleSetEncoder(Collection currentaccessrules, Collection availableaccessrules, boolean usehardtokens, boolean usekeyrecovery){
    	 HashSet aar = new HashSet();
    	 aar.addAll(availableaccessrules);
    	 Iterator iter = currentaccessrules.iterator();
    	 while(iter.hasNext()) aar.add(((AccessRule) iter.next()).getAccessRule());    	 
    	 initAvailableRoles(aar);    	 
    	 initAvailableRules(usehardtokens, usekeyrecovery, aar);    	 
    	 
    	 initCurrentRole(currentaccessrules);    	 
    	 initCurrentRules(currentaccessrules);

    }
    
        
    /**
     * Returns true if basic configuration of access rules isn't possible.
     */
    public boolean getForceAdvanced(){
    	return forceadvanced;
    }

    /**
     * Returns the current role of the administrator group.
     * One of the BasicRuleSet ROLE_constants
     * 
     */
    
    public int getCurrentRole(){
    	return currentrole;
    }

    /**
     * Returns a Collection of basic roles the administrator is authorized to configure.
     * @return a Collection of BasicRuleSet.ROLE_constants (Integer)
     * 
     */   
    public Collection getAvailableRoles(){
    	return availableroles;
    }    

    /**
     * @return a Collection of CAids the administratorgroup is authorized to or BasicAccessRuleSet.CA_ALL for all cas.
     */       
    public HashSet getCurrentCAs(){
    	return currentcas;
    }

    /**
     * @return a Collection of available CAids or BasicAccessRuleSet.CA_ALL for all cas.
     */          
    public Collection getAvailableCAs(){
    	return availablecas;
    }

    /**
     * @return a Collection of EndEntityRules the administratorgroup is authorized to, BasicAccessRuleSet.ENDENTITY_ constants (Integer).
     */           
	public HashSet getCurrentEndEntityRules(){
		return currentendentityrules;		
	}
	
	/**
	 * @return a Collection of available EndEntityRules,  BasicAccessRuleSet.ENDENTITY_ constants (Integer)
	 */ 	
	public Collection getAvailableEndEntityRules(){
		return availableendentityrules;		
	}
	
	/**
	 * @return a Collection of authorized EndEntityProfileIds or BasicAccessRuleSet.ENDENTITYPROFILE_ALL for all
	 */          
	public HashSet getCurrentEndEntityProfiles(){
		return currentendentityprofiles;
	}

	/**
	 * @return a Collection of av	ailable EndEntityProfileIds or BasicAccessRuleSet.ENDENTITYPROFILE_ALL for all and entity profiles.
	 */ 		
	public Collection getAvailableEndEntityProfiles(){
	   return availableendentityprofiles;	
	}
	
	/**
	 * @return a Collection of auhtorized other rules. (Integer).
	 */          
	public HashSet getCurrentOtherRules(){
		return currentotherrules;		
	}
	
	/**
	 * @return a Collection of available other rules (Integer).
	 */ 		
	public Collection getAvailableOtherRules(){
	   return availableotherrules;	
	}
    
	private void initAvailableRoles(HashSet availableruleset){		
		availableroles.add(new Integer(BasicAccessRuleSet.ROLE_NONE));
        availableroles.add(new Integer(BasicAccessRuleSet.ROLE_CAADMINISTRATOR));
        
        availableroles.add(new Integer(BasicAccessRuleSet.ROLE_RAADMINISTRATOR));        
        availableroles.add(new Integer(BasicAccessRuleSet.ROLE_SUPERVISOR));                
		// Check if administrator can create superadministrators
		if(availableruleset.contains(AvailableAccessRules.ROLE_SUPERADMINISTRATOR)){						
			availableroles.add(new Integer(BasicAccessRuleSet.ROLE_SUPERADMINISTRATOR));
		}	

	}
	
	private void initCurrentRole(Collection currentaccessrules){		
		// Check if administrator is superadministrator
		
		if(currentaccessrules.size() >0){
          if(isSuperAdministrator(currentaccessrules)){
        
        	  this.currentrole = BasicAccessRuleSet.ROLE_SUPERADMINISTRATOR;
          }else
		    // Check if administrator is caadministrator
            if(isCAAdministrator(currentaccessrules)){          	    
          	    this.currentrole = BasicAccessRuleSet.ROLE_CAADMINISTRATOR;
            }else        
		    // Check if administrator is raadministrator
            if(isRAAdministrator(currentaccessrules)){          	  
          	  this.currentrole = BasicAccessRuleSet.ROLE_RAADMINISTRATOR;
            }else
		    // Check if administrator is supervisor
            if(isSupervisor(currentaccessrules)){          	   
          	    this.currentrole = BasicAccessRuleSet.ROLE_SUPERVISOR;          	  	 
            }else
          	    this.forceadvanced = true;
		}else{
			this.currentrole = BasicAccessRuleSet.ROLE_NONE;
		}	        
	}
		
	private boolean isSuperAdministrator(Collection currentaccessrules){
		
		boolean returnval = false;
		if(currentaccessrules.size() ==1){
			AccessRule ar = (AccessRule) currentaccessrules.iterator().next();
			if(ar.getAccessRule().equals(AvailableAccessRules.ROLE_SUPERADMINISTRATOR) && 
					                                   ar.getRule() == AccessRule.RULE_ACCEPT &&
													   !ar.isRecursive())
				returnval = true;
		}
		
		return returnval;
	}
	
	private boolean isCAAdministrator(Collection currentaccessrules){
	   boolean returnval = false;
	 	   	   	   
	   if(currentaccessrules.size() >= 7){
	     HashSet requiredacceptrecrules = new HashSet();
	     requiredacceptrecrules.add(AvailableAccessRules.REGULAR_CAFUNCTIONALTY);
	     requiredacceptrecrules.add(AvailableAccessRules.REGULAR_LOGFUNCTIONALITY);
	     requiredacceptrecrules.add(AvailableAccessRules.REGULAR_RAFUNCTIONALITY);
	     requiredacceptrecrules.add(AvailableAccessRules.REGULAR_SYSTEMFUNCTIONALITY);	     
	     requiredacceptrecrules.add(AvailableAccessRules.ENDENTITYPROFILEBASE);
	     HashSet requiredacceptnonrecrules = new HashSet();
	     requiredacceptnonrecrules.add(AvailableAccessRules.ROLE_ADMINISTRATOR);
	     requiredacceptnonrecrules.add(AvailableAccessRules.HARDTOKEN_EDITHARDTOKENISSUERS);
	     requiredacceptnonrecrules.add(AvailableAccessRules.HARDTOKEN_EDITHARDTOKENPROFILES);
	     
	     Iterator iter = currentaccessrules.iterator();
	     boolean illegal = false;
	     while(iter.hasNext()){
	     	AccessRule ar = (AccessRule) iter.next();
	     	if(!isAllowedCAAdministratorRule(ar))
	     	  if(ar.getRule() == AccessRule.RULE_ACCEPT && ar.isRecursive() && requiredacceptrecrules.contains(ar.getAccessRule()))
	     	  		requiredacceptrecrules.remove(ar.getAccessRule());
	     	  else		
	     	  	if(ar.getRule() == AccessRule.RULE_ACCEPT && !ar.isRecursive() && requiredacceptnonrecrules.contains(ar.getAccessRule()))
	     	  		requiredacceptnonrecrules.remove(ar.getAccessRule());
	     	    else{
	     	    	illegal = true;
					break;
	     	    }		     	
	     }
	     if(!illegal && requiredacceptrecrules.size()==0 && requiredacceptnonrecrules.size() == 0)
	     	returnval = true;
	     
	   }
	   

	   
	   return returnval;
	}
		
	private boolean isAllowedCAAdministratorRule(AccessRule ar){
		boolean returnval = false;
		
		if(ar.getAccessRule().equals(AvailableAccessRules.CABASE) && ar.getRule() == AccessRule.RULE_ACCEPT && ar.isRecursive())
			returnval = true;

		if(ar.getAccessRule().startsWith(AvailableAccessRules.CAPREFIX) && ar.getRule() == AccessRule.RULE_ACCEPT && !ar.isRecursive())
			returnval = true;		
	
		if(ar.getAccessRule().startsWith(AvailableAccessRules.HARDTOKEN_ISSUEHARDTOKENS) && ar.getRule() == AccessRule.RULE_ACCEPT)
			returnval = true;
		
		return returnval;
	}
	
	private boolean isRAAdministrator(Collection currentaccessrules){
		boolean returnval = false;
		
		if(currentaccessrules.size() >= 4){
			HashSet requiredaccepnonrecrules = new HashSet();
			requiredaccepnonrecrules.add(AvailableAccessRules.ROLE_ADMINISTRATOR);
			requiredaccepnonrecrules.add(AvailableAccessRules.REGULAR_CREATECERTIFICATE);
			requiredaccepnonrecrules.add(AvailableAccessRules.REGULAR_STORECERTIFICATE);
			requiredaccepnonrecrules.add(AvailableAccessRules.REGULAR_VIEWCERTIFICATE);
						
			Iterator iter = currentaccessrules.iterator();
			boolean illegal = false;
			while(iter.hasNext()){
				AccessRule ar = (AccessRule) iter.next();	     	
				if(!isAllowedRAAdministratorRule(ar))
						if(ar.getRule() == AccessRule.RULE_ACCEPT && !ar.isRecursive() && requiredaccepnonrecrules.contains(ar.getAccessRule()))
							requiredaccepnonrecrules.remove(ar.getAccessRule());
						else{
							illegal = true;
							break;
						}	
			}
			if(!illegal && requiredaccepnonrecrules.size() == 0)
				returnval = true;	     	    	     
		}
		
		return returnval;
	}
	
	
	private boolean isAllowedRAAdministratorRule(AccessRule ar){