📄 defaultrulecomparator.java
字号:
/*
* Copyright (c) 2006, University of Kent
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* 1. Neither the name of the University of Kent nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 2. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED.
*
* 3. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* 4. YOU AGREE THAT THE EXCLUSIONS IN PARAGRAPHS 2 AND 3 ABOVE ARE REASONABLE
* IN THE CIRCUMSTANCES. IN PARTICULAR, YOU ACKNOWLEDGE (1) THAT THIS
* SOFTWARE HAS BEEN MADE AVAILABLE TO YOU FREE OF CHARGE, (2) THAT THIS
* SOFTWARE IS NOT "PRODUCT" QUALITY, BUT HAS BEEN PRODUCED BY A RESEARCH
* GROUP WHO DESIRE TO MAKE THIS SOFTWARE FREELY AVAILABLE TO PEOPLE WHO WISH
* TO USE IT, AND (3) THAT BECAUSE THIS SOFTWARE IS NOT OF "PRODUCT" QUALITY
* IT IS INEVITABLE THAT THERE WILL BE BUGS AND ERRORS, AND POSSIBLY MORE
* SERIOUS FAULTS, IN THIS SOFTWARE.
*
* 5. This license is governed, except to the extent that local laws
* necessarily apply, by the laws of England and Wales.
*/
/*
* DefaultComparator.java
*
* Created on February 21, 2006, 9:49 AM
*/
package issrg.pba.rbac.xmlpolicy;
import issrg.pba.Credentials;
import issrg.pba.DelegatableToken;
import issrg.pba.ParsedToken;
import issrg.pba.rbac.ExpirableCredentials;
import issrg.pba.rbac.SetOfSubsetsCredentials;
import issrg.pba.rbac.policies.AssignmentRule;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.Vector;
public class DefaultRuleComparator implements issrg.pba.rbac.RuleComparator, java.util.Comparator {
Object assertion;
/** Creates a new instance of DefaultComparator */
public DefaultRuleComparator() {
}
/**
* This function compare two object o1 and o2 according to the assertion. They are two DelegateableToken objects.
* Order of priority: credentials - validity period - delegation depth.
*
* Get the delegateable credentials of the two objects and try to compare them with the credentials in the assertion by the
* morePriority function. If one object has more priority than the other then return the value -1 or 1.
* Compare two validity periods of the two objects. If one has more priority then return -1 or 1.
* Compare two delegation depths then return -1 or 1.
*
* @param o1 is the first object. It is a DelegateableToken object
* @param o2 is the second object. It is a DelegateableToken object.
* @return -1 if o1 is greater or equal o2, otherwise return 1
*/
public int compare(Object o1, Object o2) {
if (!(o1 instanceof ParsedToken && o2 instanceof ParsedToken && o1!=null && o2!=null)) throw new ClassCastException("Two parameters should not be null and must be the instance of ParsedToken class");
DelegatableToken obj1 = (DelegatableToken) o1;
DelegatableToken obj2 = (DelegatableToken) o2;
Credentials credsTok1 = obj1.getDelegateableCredentials();
Credentials credsTok2 = obj2.getDelegateableCredentials();
Credentials assertCred;
if (assertion instanceof AssignmentRule) assertCred = ((AssignmentRule) assertion).getCredentials(); else assertCred = (Credentials) assertion;
Credentials con1, con2;
con1 = credsTok1.intersection(assertCred);
con2 = credsTok2.intersection(assertCred);
int states = morePriority(con1, con2);
if (states == -1) return -1;
if (states == 1) return 1;
//from here two roleValues are not compareable or they are the same. Continue checking validity time and delegation depth
if (con1 instanceof SetOfSubsetsCredentials && con2 instanceof SetOfSubsetsCredentials) {
Credentials f1, f2;
f1 = (Credentials) ((SetOfSubsetsCredentials)con1).getValue().get(0);
f2 = (Credentials) ((SetOfSubsetsCredentials)con2).getValue().get(0);
if (f1 instanceof ExpirableCredentials && f2 instanceof ExpirableCredentials) {
issrg.pba.rbac.ValidityPeriod vp1 = ((ExpirableCredentials) f1).getValidityPeriod();
issrg.pba.rbac.ValidityPeriod vp2 = ((ExpirableCredentials) f2).getValidityPeriod();
Date na1 = vp1.getNotAfter();
Date nb1 = vp1.getNotBefore();
Date na2 = vp2.getNotAfter();
Date nb2 = vp2.getNotBefore();
if ((nb1.compareTo(nb2) < 0) && (na1.compareTo(na2) >= 0)) return -1;
if ((nb1.compareTo(nb2) == 0) && (na1.compareTo(na2) > 0)) return -1;
if ((nb2.compareTo(nb1) < 0) && (na2.compareTo(na1) >= 0)) return 1;
if ((nb2.compareTo(nb1) == 0) && (na2.compareTo(na1) > 0)) return 1;
}
}
//from here two rolesValues are not compareable (or they are the same) and validity time are not compareable
if (assertion instanceof Credentials) return 1;
int tok1Depth = obj1.getDepth();
int tok2Depth = obj2.getDepth();
int requestedDepth = ((AssignmentRule) assertion).getDelegationDepth();
if ((tok1Depth == -1) || ((tok1Depth > requestedDepth) && (requestedDepth > -1))) return -1;
if ((tok2Depth == -1) || ((tok2Depth > requestedDepth) && (requestedDepth > -1))) return 1;
if (tok1Depth >= tok2Depth) return -1; else return 1;
}
/**
*This function will take the vector of asserted RARs of issuer, ignore unrelevant RARs for the assertion,
* and sort relevant RARs according to the assertion
*@param assertion is either a credentials or a RoleAssignmentRule of the holder that needs to be validated
*@param tokens stores all the RARs of issuer
*@param holder is the holder of the assertion
*@return an array of ParsedToken that is sorted according to the assertion.
*/
public synchronized ParsedToken[] predict(Object assertion, Vector tokens, issrg.utils.repository.Entry holder){
this.assertion = assertion;
Credentials assertCred;
if (assertion instanceof AssignmentRule) assertCred = ((AssignmentRule) assertion).getCredentials(); else assertCred = (Credentials) assertion;
Vector tokensClone = (Vector) tokens.clone();
SetOfSubsetsCredentials empty = new SetOfSubsetsCredentials();
for (Iterator i = tokensClone.iterator(); i.hasNext();) {
ParsedToken t = (ParsedToken) i.next();
if (!(t instanceof DelegatableToken)) {
i.remove();
continue;
}
DelegatableToken dt = (DelegatableToken)t;
if (dt.getDelegateableCredentials().intersection(assertCred).equals(empty)
|| !dt.getSubjectDomain().contains(holder))
i.remove();
}
ParsedToken[] ret;
ret = (ParsedToken[]) tokensClone.toArray(new ParsedToken[0]);
Arrays.sort(ret, this);
return ret;
}
/** This function test whether the constrained assertion is good enough
*@param asRAR is the RoleAssignmentRule of the issuer
*@param vaRAR is the validated RoleAssignmentRule of the issuer. Both of these RoleAssignmentRules may be null.
*If they are null, it means RoleAssignmentRule of the issuer is totally trusted and we do not care about it.
*@param assertion is either a credentials or a RoleAssignmentRule of the holder that needs to be validated
*@param validated is a validated credentials or a Vecor of validated RoleAssignmentRules of the holder
*@return a boolean value. If it is true then the issuer's RAR is good enough for validating the request and
*we do not need to use another issuer'RAR for validating the request. Otherwise, we need to use another RAR
*to validate the request.
*
*/
public boolean isSufficient(AssignmentRule asRAR, AssignmentRule vaRAR, Object assertion, Object validated) {
if (asRAR==null && vaRAR==null) return false;
if (validated instanceof Credentials) {
if (((Credentials) validated).equals(new SetOfSubsetsCredentials())) return false; else return true;
} else {
if (validated instanceof Vector) {
if (!((Vector)validated).isEmpty()) return true; else return false;
} else return false;
}
}
/**
* This function compares two Credentials to find the one that more appropriate to the request.
*
*
*@param current is the first Credentials
*@param cred is the second Credentials
*
*@return -1 if current is greater than cred, 0 if they are equal or not comparable, 1 if current is less than cred
*/
private int morePriority(Credentials current, Credentials cred) {
if (current instanceof SetOfSubsetsCredentials && cred instanceof SetOfSubsetsCredentials) {
Vector t = ((SetOfSubsetsCredentials)current).getValue();
Vector fromCurrent = new Vector();
for (int i = 0; i < t.size(); i++) {
if (!(t.get(i) instanceof ExpirableCredentials)) return 0;
fromCurrent.add(((ExpirableCredentials) t.get(i)).getExpirable());
}
t = ((SetOfSubsetsCredentials) cred).getValue();
Vector fromCred = new Vector();
for (int i = 0; i < t.size(); i++) {
if (!(t.get(i) instanceof ExpirableCredentials)) return 0;
fromCred.add(((ExpirableCredentials) t.get(i)).getExpirable());
}
SetOfSubsetsCredentials currentSet = new SetOfSubsetsCredentials(fromCurrent);
SetOfSubsetsCredentials credSet = new SetOfSubsetsCredentials(fromCred);
if (currentSet.contains(credSet) && !currentSet.equals(credSet)) return -1;
if (credSet.contains(currentSet) && !currentSet.equals(credSet)) return 1;
return 0; //return 0 here if the two set are the same or neither of them contains the other
}
return 0;
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -