msodpolicyset.java

一个完整的XACML工程,学习XACML技术的好例子!

/*
* Copyright (c) 2006, University of Kent
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without 
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this 
* list of conditions and the following disclaimer.
* 
* Redistributions in binary form must reproduce the above copyright notice, 
* this list of conditions and the following disclaimer in the documentation 
* and/or other materials provided with the distribution. 
*
* 1. Neither the name of the University of Kent nor the names of its 
* contributors may be used to endorse or promote products derived from this 
* software without specific prior written permission. 
*
* 2. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS  
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
* PURPOSE ARE DISCLAIMED. 
*
* 3. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
* POSSIBILITY OF SUCH DAMAGE.
*
* 4. YOU AGREE THAT THE EXCLUSIONS IN PARAGRAPHS 2 AND 3 ABOVE ARE REASONABLE
* IN THE CIRCUMSTANCES.  IN PARTICULAR, YOU ACKNOWLEDGE (1) THAT THIS
* SOFTWARE HAS BEEN MADE AVAILABLE TO YOU FREE OF CHARGE, (2) THAT THIS
* SOFTWARE IS NOT "PRODUCT" QUALITY, BUT HAS BEEN PRODUCED BY A RESEARCH
* GROUP WHO DESIRE TO MAKE THIS SOFTWARE FREELY AVAILABLE TO PEOPLE WHO WISH
* TO USE IT, AND (3) THAT BECAUSE THIS SOFTWARE IS NOT OF "PRODUCT" QUALITY
* IT IS INEVITABLE THAT THERE WILL BE BUGS AND ERRORS, AND POSSIBLY MORE
* SERIOUS FAULTS, IN THIS SOFTWARE.
*
* 5. This license is governed, except to the extent that local laws
* necessarily apply, by the laws of England and Wales.
*/


package issrg.pba.rbac.policies;

import issrg.pba.PbaException;
import issrg.pba.rbac.xmlpolicy.XMLPolicyParser;
import issrg.pba.rbac.*;
import issrg.pba.*;

import iaik.asn1.*;
import iaik.asn1.structures.AlgorithmID;
import iaik.utils.Util;

import java.io.*;
import java.util.*;
import java.lang.*;
import java.math.*;
import java.text.*;

//added for MSoD
import issrg.pba.rbac.RetainedADI; 
import issrg.SAWS.*;

/**
 * This is the class representing the MSoD Policy. It contains a vector of MSoD rules. It determines 
 * whether a access request is allowed by the MSoD rules.
 *
 * @author W. Xu
 * @version 0.1
 */

public class MSoDPolicySet {

  protected java.util.Vector msodRules;
  protected RetainedADI retainedADI; 
  private SAWSServer sawsServer;
  private PolicyParser pp;

  protected MSoDPolicySet(){}

  /**
   * This constructor creates the MSoDPolicySet object. 
   *
   * @params m is a vector of MSoD rules. 
   * @params r is the retained ADI object for storing access request decisions in history. 
   * @params sawsServer is the SAWS server for recording log records for PERMIS. 
   * @params pp is the PolicyParser for PERMIS. 
   * 
   */
  public MSoDPolicySet(Vector m, RetainedADI r, SAWSServer sawsServer, PolicyParser pp){
      msodRules = m; 
      retainedADI = r;
      this.sawsServer = sawsServer; 
      this.pp = pp;
      Vector v1 = null;
           
      while ( (v1 = sawsServer.sawsReadOneLogFile()) != null) {
          addRecords(v1);
      } 
      this.sawsServer.sawsStart();
  }

  /**
   * This method adds a vector of decision records to the retained ADI. The lastStep decision records should be 
   * removed along with decision records with the same contextinstance. 
   *
   * @param v is the vector of decision records. 
   *
   * @return void 
   */
  private void addRecords(Vector v){ 
      for (int i=0; i<v.size() ; ++i ) {
          DecisionRecord dr = toDecisionRecord( ((RecordBlock) v.get(i)).getRecord() );
          ContextNamePrincipal instanceDN = null; 
          try {
              instanceDN = new ContextNamePrincipal(dr.getContextInstance());       	
          }      
          catch (Exception e) {
              e.printStackTrace(); 
          }
          int size = msodRules.size();
          MSoDRule aMSoDRule = null;
          for (int j = 0; j< size; ++j){
              aMSoDRule = (MSoDRule) msodRules.get(j);
              if ( aMSoDRule.contains(instanceDN)  ) {
                if (aMSoDRule.isLastStep(dr.getAction(), dr.getTarget() ) ) {
                    retainedADI.removeContext(aMSoDRule.getPolicyContext(), instanceDN); 
                    break;
                } else
                    retainedADI.add(dr);  
              }

          }
      }
  }

  /**
   * This method extract a permis log record into a permis access control decision record.
   *
   * @param recordBlock is a permis log record in binary form. 
   *
   * @return a decision record for retained ADI. 
   */
  private issrg.pba.rbac.DecisionRecord toDecisionRecord(byte[] recordBlock){
    DateFormat df = DateFormat.getDateInstance(); 
    issrg.pba.rbac.DecisionRecord  dr = null;
    try{
		ASN1 asn1 = new ASN1(recordBlock);
		IA5String s0 = (IA5String)asn1.getComponentAt(0);
		String userID = (String)s0.getValue();

		s0 = (IA5String)asn1.getComponentAt(1);
		String action = (String)s0.getValue();

		s0 = (IA5String)asn1.getComponentAt(2);
		String Target = (String)s0.getValue();

		s0 = (IA5String)asn1.getComponentAt(3);
		String contextInstance = (String)s0.getValue();

		s0 = (IA5String)asn1.getComponentAt(4);
		Date dateTime = df.parse((String)s0.getValue()) ;

        Vector CredsVec = new Vector(); 
		INTEGER i0 = (INTEGER)asn1.getComponentAt(5) ;
		int roleCount = ((BigInteger)i0.getValue()).intValue();
        for (int j = 0; j< roleCount ; ++j ) {
            s0 = (IA5String)asn1.getComponentAt(6+j*4);
            String roleValue = (String)s0.getValue();

            s0 = (IA5String)asn1.getComponentAt(6+j*4+1);
            String roleType = (String)s0.getValue();

            s0 = (IA5String)asn1.getComponentAt(6+j*4+2);
            String d1s = (String)s0.getValue();
            Date d1 = df.parse(d1s);

            s0 = (IA5String)asn1.getComponentAt(6+j*4+3);
            String d2s = (String)s0.getValue();
            Date d2 = df.parse(d2s);

            AbsoluteValidityPeriod avp = new AbsoluteValidityPeriod(d1, d2); 
            Credentials pc = new PermisCredentials( ((XMLPolicyParser) pp).getRole(roleType, roleValue));
            ExpirableCredentials ec = new ExpirableCredentials(pc, (ValidityPeriod) avp);
            CredsVec.add(ec);
        }
        Credentials creds = new SetOfSubsetsCredentials (CredsVec); 

        dr = new DecisionRecord(userID, creds, action, Target, contextInstance, dateTime);

    } catch (Exception e) {
			e.printStackTrace(System.err);
    }  
        return dr;
  }

  /**
   * This method is to create a binary array for a permis request decision record. 
   * 
   * 
   * @param dr is the decision record class 
   * 
   * @return binary array of this PERMIS block
   */
  private byte[] toBytes(issrg.pba.rbac.DecisionRecord dr){
        DateFormat df = DateFormat.getDateInstance(); 
        SEQUENCE ASN1Seq = new SEQUENCE();
        ASN1Seq.addComponent(new IA5String(dr.getUserID())); // 0
        ASN1Seq.addComponent(new IA5String(dr.getAction())); //1
        ASN1Seq.addComponent(new IA5String(dr.getTarget())); //2
		ASN1Seq.addComponent(new IA5String(dr.getContextInstance())); //3
        ASN1Seq.addComponent(new IA5String(df.format(dr.getDateTime()))); //4

        Credentials creds = dr.getCreds();
        int credsNumber = 0;
        Vector credsV = ((SetOfSubsetsCredentials)creds).getValue(); 
        credsNumber = credsV.size() ; 
        ASN1Seq.addComponent(new INTEGER(credsNumber));  //5
				
        for (int i=0; i< credsNumber; ++i){
            ExpirableCredentials ec = (ExpirableCredentials) credsV.get(i);
            PermisCredentials pc = (PermisCredentials) ec.getExpirable();
            ValidityPeriod vp = (ValidityPeriod) ec.getValidityPeriod();  
            String roleValue =(String) pc.getRoleValue();
            String roleType = (String) pc.getRoleType();
            ASN1Seq.addComponent(new IA5String(roleValue));  // 5+1
            ASN1Seq.addComponent(new IA5String(roleType));   // 5+2
            Date d1 = ( (IntersectionValidityPeriod) vp ).getNotBefore(); 
            Date d2 = ( (IntersectionValidityPeriod) vp ).getNotAfter(); 
            ASN1Seq.addComponent(new IA5String(  df.format(d1) ));  //5+3
            ASN1Seq.addComponent(new IA5String(  df.format(d2)  )); //5+4
        }

        byte[] arrayASN = DerCoder.encode(ASN1Seq);
        return arrayASN;
  }

    
  /**
   * This method is to determine if this MSoD policy applies to this user access request. 
   * If this MSoD policy applies, then it means the user access request has broken one of the MSoD rules in this MSoD policy
   * and it should be forbidden by this MSoD policy, and this method will return true; otherwise this method will return false. 
   *
   * @param creds is the user credential
   * @param a is the user action
   * @param t is the user requested target
   * @param environment is the environment of the decision by PERMIS 
   *
   * @return true if this MSoD policy applies to this user requested access; otherwise false. 
   */
  public boolean separationOfDutiesApplies(issrg.pba.Credentials creds, 
				/*issrg.pba.Subject subject,*/ issrg.pba.Action a, 
				issrg.pba.Target t, java.util.Map environment) {
 //     throws issrg.utils.RFC2253ParsingException{  

      String contextInstance = (String) environment.get("ContextInstance");
      if ( contextInstance == null) {
          return false;
      }
      ContextNamePrincipal instanceDN = null, maskDN = null, lastMaskDN = null; 
      try {
          instanceDN = new ContextNamePrincipal(contextInstance);       	
      }      
      catch (issrg.utils.RFC2253ParsingException e)      {
//          throw e;
      }

      issrg.pba.Subject subject = (issrg.pba.rbac.PermisSubject) environment.get("Subject"); // Subject was pushed to the environment before

      String actionName = a.getActionName();
      String userID = (String) ((issrg.pba.rbac.PermisSubject)subject).getName();
      String targetName = ((PermisTarget)t).getName();
      Vector historyVector = null;

      int size = msodRules.size();
      MSoDRule aMSoDRule = null;
      boolean lastStepFlag = false;
      for (int i = 0; i< size; ++i){
          aMSoDRule = (MSoDRule) msodRules.get(i);
          if ( aMSoDRule.contains(instanceDN)  ) {
              boolean result = 
                  aMSoDRule.separationOfDutiesApplies( retainedADI, creds, subject, a, t, environment,
                  instanceDN) ;
              if ( !result) {  // result==false, MSoD doesn't apply, this method may return false, access request might be granted;
                if (aMSoDRule.isLastStep(actionName, targetName) ) {
                    lastStepFlag = true;
                    maskDN = aMSoDRule.getPolicyContext(); 
                    if (lastMaskDN== null) {
                        lastMaskDN = maskDN;
                    } else {
                        if (maskDN.contains(lastMaskDN) ) {
                            lastMaskDN = maskDN;
                        }
                    }
                }

              } else { // result == true
                  return true;
              }

          }

      }

      issrg.pba.rbac.DecisionRecord dr = new issrg.pba.rbac.DecisionRecord(userID, creds, 
                            actionName, targetName, contextInstance,
                            CustomisePERMIS.getSystemClock().getTime());
      if ( lastStepFlag) {
          retainedADI.removeContext(lastMaskDN, instanceDN);  
      } else {
          retainedADI.add(dr); 
      }
      sawsServer.sendLogRecord(toBytes(dr) ); 
      return false;  

  }


}