📄 xmlpolicyparser.java
字号:
//System.out.println("\t\t*** BUILDING ROLE ASSIGNMENT POLICY ***"); //********
for (int i=children.size(); i-->0; ){
PolicyXMLNode c = (PolicyXMLNode)children.get(i);
String s = c.getName().intern();
if (s!=XMLTags.ROLE_ASSIGNMENT_NODE){
throw new PolicyParsingException("Only "+XMLTags.ROLE_ASSIGNMENT_NODE+" nodes are allowed under this node");
}
java.util.Vector v = c.getChildren();
//System.out.println("\t"+i+": "+c.getName()+" children:"+v.size()); //********
String subjId = (String)expect(v, SUBJECT_DOMAIN_NODE_SEQUENCE, XMLTags.SUBJECT_DOMAIN_NODE).getAttributes().get(XMLTags.ID_ATTRIBUTE);
//System.out.print("subjId: "+subjId); //********
RoleListNode roleList = (RoleListNode)expect(v, ROLE_LIST_NODE_SEQUENCE, XMLTags.ROLE_LIST_NODE);
String delegationDepth = (String)expect(v, DELEGATE_NODE_SEQUENCE, XMLTags.DELEGATE_NODE).getAttributes().get(XMLTags.DEPTH_ATTRIBUTE);
//System.out.print(" delegationDepth: "+delegationDepth); //********
int delegation;
try{
delegation=delegationDepth==null? -1 : Integer.parseInt(delegationDepth);
if (delegation<-1) throw new NumberFormatException();
}catch(java.lang.NumberFormatException ex){
throw new PolicyParsingException("Delegation Depth should be a valid non-negative integer number, or be missing", ex);
}
String soaId = (String)expect(v, SOA_NODE_SEQUENCE, XMLTags.SOA_NODE).getAttributes().get(XMLTags.ID_ATTRIBUTE);
//System.out.print(" soaId: "+soaId); //********
Vector validity = expect(v, VALIDITY_NODE_SEQUENCE, XMLTags.VALIDITY_NODE).getChildren();
validityForRoleList = new issrg.pba.rbac.AnyTimeValidityPeriod(); // the default validity period
int missingnodes=0;
PolicyXMLNode val_node = expect(validity, ABSOLUTE_VALIDITY_NODE_SEQUENCE, XMLTags.ABSOLUTE_NODE, true);
issrg.pba.rbac.RelativeDate rd;
if (val_node==null){
missingnodes++;
}else{
java.util.Date nb = null;
java.util.Date na = null;
s = (String)val_node.getAttributes().get(XMLTags.START_ATTRIBUTE);
if (s!=null && s.intern()!=""){
rd = parseDateTime(s);
rd.months--;
nb = rd.getDate();
}
s = (String)val_node.getAttributes().get(XMLTags.END_ATTRIBUTE);
if (s!=null && s.intern()!=""){
rd = parseDateTime(s);
rd.months--;
na = rd.getDate();
}
validityForRoleList=new issrg.pba.rbac.AbsoluteValidityPeriod(nb, na);
}
issrg.pba.rbac.RelativeDate age=null;
issrg.pba.rbac.RelativeDate min=null;
issrg.pba.rbac.RelativeDate max=null;
val_node = expect(validity, AGE_VALIDITY_NODE_SEQUENCE-missingnodes, XMLTags.AGE_NODE, true);
if (val_node==null){
missingnodes++;
}else{
s = (String)val_node.getAttributes().get(XMLTags.TIME_ATTRIBUTE);
if (s==null){
throw new PolicyParsingException(XMLTags.TIME_ATTRIBUTE+" attribute is missing in "+XMLTags.AGE_NODE);
}
age=parseDateTime(s);
}
val_node = expect(validity, MAXIMUM_VALIDITY_NODE_SEQUENCE-missingnodes, XMLTags.MAXIMUM_NODE, true);
if (val_node==null){
missingnodes++;
}else{
s = (String)val_node.getAttributes().get(XMLTags.TIME_ATTRIBUTE);
if (s==null){
throw new PolicyParsingException(XMLTags.TIME_ATTRIBUTE+" attribute is missing in "+XMLTags.MAXIMUM_NODE);
}
max=parseDateTime(s);
}
val_node = expect(validity, MINIMUM_VALIDITY_NODE_SEQUENCE-missingnodes, XMLTags.MINIMUM_NODE, true);
if (val_node==null){
missingnodes++;
}else{
s = (String)val_node.getAttributes().get(XMLTags.TIME_ATTRIBUTE);
if (s==null){
throw new PolicyParsingException(XMLTags.TIME_ATTRIBUTE+" attribute is missing in "+XMLTags.MINIMUM_NODE);
}
min=parseDateTime(s);
}
if (age!=null || min!=null || max!=null){
validityForRoleList = new issrg.pba.rbac.AdjustedPeriodCollection(
validityForRoleList,
new issrg.pba.rbac.AdjustedValidityPeriod(age, min, max)
);
}
roleList.construct(); // this is a bit clumsy - the roleList has already constructed the list of roles
// but the Validity could not be defined properly at that time
// so I have to call construct again. this is only due to the syntax of the policy (that the nodes appear in this sequence)
issrg.pba.Credentials soaCreds = roleList.getCredential();
//System.out.print(" soaCreds: "+soaCreds); //********
java.security.Principal soa = soas.getSOA(soaId);
//System.out.println("\nsoa: "+soa); //********
if (soa==null){
throw new PolicyParsingException("No SOA with "+soaId+" has been defined");
}
//System.out.print("getting subject domain:..."); //********
Subtree subj = subjectPol.getDomain(subjId);
//System.out.println("ok : "+subj); //********
if (subj==null){
throw new PolicyParsingException("No Subject Domain with "+subjId+" has been defined");
}
java.util.Vector v2 = (java.util.Vector)rules.get(soa.getName());
if (v2==null){ // a rule for a new SOA
v2 = new java.util.Vector();
rules.put(soa.getName(), v2);
}
//System.out.println("creating an assignment rule:..."); //********
v2.add(new issrg.pba.rbac.policies.AssignmentRule(subj, delegation, soaCreds));
//System.out.println("ok"); //********
}
}
/**
* This method returns the rules defined by the appropriate XML node.
* The rules contain Vectors of issrg.pba.rbac.policies.AssignmentRule
* objects, indexed by the SOA name. There also is a special entry
* with the key issrg.pba.rbac.policies.Subtree.class: its value is
* a issrg.pba.rbac.policies.Subtree of the coverage domain of the
* Subject Policy.
*/
public java.util.Map getRules(){
return rules;
}
/**
* This routine parses the string in format ccyy-mm-ddThh:mm:ss and
* separates it into
* the integers. The syntax is not strict, so any nymber of subsequent
* digits is allowed,
* and any non-digit characters can be used as separators (the parser
* does not ensure the
* separators are "-", "T", ":", and that they are used in that order).
*
* <p>Examples:
* <p>"00000002~73|1" is parsed as year 2, month 73, day 1. Note that
* the actual meaning
* depends on where this statement is used. If it is the Absolute date
* specification, then
* it is equal to "8-1-1" (73 months is the same as 6 more years and 1
* month).
* <p>"2002-12-31T12:00:21:567" - the last term ":567" is ignored.
*
* @param s is the string of format "ccyy-mm-ddThh:mm:ss" to parse
*
* @return a RelativeDate object with appropriate integers assigned
*/
protected issrg.pba.rbac.RelativeDate parseDateTime(String s){
int [] d = new issrg.pba.rbac.Time(s).getEvaluationTime(); // use the existing parser
return new issrg.pba.rbac.RelativeDate(d[0], d[1], d[2], d[3], d[4], d[5]);
}
}
/**
* This is the class representing SupRole nodes. It knows its value and its
* direct subordinates. However, it can always tell you whether a given Role
* is subordinate to it or not.
*
* @author A Otenko
* @version 1.0
*/
public class RoleHierarchyNode extends PolicyXMLNode implements issrg.pba.rbac.RoleHierarchyNode {
/**
* This is a number, representing how high in the hierarchy this node is
* located. It helps to optimise calculations of who is superior to who.
*
* <p>Its property is that hierarchy level of the most superior roles is
* 0,
* and that any child role hierarchy level is a bigger integer (not
* always
* greater just by one, because this is not a tree). So if this role
* has bigger integer than another, then the former definitely cannot be
* superior to the latter.
*/
protected int hierarchyLevel = -1;
protected String type;
protected String value;
protected RoleHierarchyNode [] subordinates=null;
/**
* This is a flag that indicates how many loops include this node. There
* always
* should be zero loops.
*/
private int loops = 0;
public RoleHierarchyNode(org.xml.sax.Attributes attrs) {
super(XMLTags.SUP_ROLE_NODE, attrs);
_init_();
}
private void _init_(){
value = attrs.getValue(XMLTags.VALUE_ATTRIBUTE);
}
/**
* This method links the roles together, using the given Map as a
* reference to
* other Roles. Before calling this method, it is useless to call
* getLevel or
* isSuperiorTo, as they will not be able to determine hierarchical
* relationships between two roles.
*
* @param roleHierarchy - the Map of roles, where the key is the role
* value, and the value is the RoleHierarchyNode
*/
public void optimise(java.util.Map roleHierarchy) throws PolicyParsingException{
try{
if (subordinates!=null){ // optimised already
return;
}
Object [] childs = children.toArray();
subordinates = new RoleHierarchyNode[childs.length];
for (int i=0; i<childs.length; i++){
String s = (String)(((PolicyXMLNode)childs[i]).getAttributes().get(XMLTags.VALUE_ATTRIBUTE));
RoleHierarchyNode sub = (RoleHierarchyNode)roleHierarchy.get(s);
if (sub==null){
throw new PolicyParsingException("Could not find Role "+s+" in this hierarchy");
}
subordinates[i]=sub;
sub.setLevel(getLevel()+1); // not the suggested level, but the one,
// that is set now
}
}catch(Throwable th){
throw new PolicyParsingException(th.getMessage());
}
if (loops!=0){
throw new PolicyParsingException("Role Hierarchy directed graph contains loops");
}
}
/**
* This method returns the hierarchy level of the node.
*/
public int getLevel(){
return hierarchyLevel;
}
/**
* This method sets the hierarchy level of the node. It is set only if
* the
* given level is greater (lower position) than the current. It also
* updates
* the counter of loops in the hierarchy that appeared by adding this
* node.
* Note that the latter counter depends on the sequence of updating the
* hierarchy.
*
* @param level - the least new level of the node; if the node already
* has a higher level, the level won't be updated; otherwise its
* level and the level of all of its subordinates will be updated
*/
public void setLevel(int level){
loops++; // update always; it will be restored to zero, if no loops encountered
if (loops!=1){
return;
}
if (level>=getLevel()){
// updating ok: no loops encountered
hierarchyLevel = level;
if (subordinates!=null)
for(int i=0; i<subordinates.length; i++){
subordinates[i].setLevel(level+1);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -