msodrule.java

一个完整的XACML工程,学习XACML技术的好例子!

/*
* Copyright (c) 2006, University of Kent
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without 
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this 
* list of conditions and the following disclaimer.
* 
* Redistributions in binary form must reproduce the above copyright notice, 
* this list of conditions and the following disclaimer in the documentation 
* and/or other materials provided with the distribution. 
*
* 1. Neither the name of the University of Kent nor the names of its 
* contributors may be used to endorse or promote products derived from this 
* software without specific prior written permission. 
*
* 2. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS  
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
* PURPOSE ARE DISCLAIMED. 
*
* 3. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
* POSSIBILITY OF SUCH DAMAGE.
*
* 4. YOU AGREE THAT THE EXCLUSIONS IN PARAGRAPHS 2 AND 3 ABOVE ARE REASONABLE
* IN THE CIRCUMSTANCES.  IN PARTICULAR, YOU ACKNOWLEDGE (1) THAT THIS
* SOFTWARE HAS BEEN MADE AVAILABLE TO YOU FREE OF CHARGE, (2) THAT THIS
* SOFTWARE IS NOT "PRODUCT" QUALITY, BUT HAS BEEN PRODUCED BY A RESEARCH
* GROUP WHO DESIRE TO MAKE THIS SOFTWARE FREELY AVAILABLE TO PEOPLE WHO WISH
* TO USE IT, AND (3) THAT BECAUSE THIS SOFTWARE IS NOT OF "PRODUCT" QUALITY
* IT IS INEVITABLE THAT THERE WILL BE BUGS AND ERRORS, AND POSSIBLY MORE
* SERIOUS FAULTS, IN THIS SOFTWARE.
*
* 5. This license is governed, except to the extent that local laws
* necessarily apply, by the laws of England and Wales.
*/

package issrg.pba.rbac.policies;


import issrg.pba.PbaException;
import issrg.pba.rbac.xmlpolicy.XMLPolicyParser;
import issrg.pba.rbac.Argument;
import java.util.Map;
import java.util.Hashtable;
import java.util.Vector;
import issrg.pba.rbac.*;

/**
 * This is the class representing the MSoD rule. It determines 
 * whether the request is allowed by this MSoD rule.
 * <p>
 *
 * @author W. Xu
 * @version 0.1
 */

public class MSoDRule {

  /**
   * This is where the MSoD Rules are stored
   */
  protected java.util.Vector mmerVec;  // an mmer  vector
  protected java.util.Vector mmepVec;  // an  mmep vector

  protected String contextName; 
  protected ContextNamePrincipal policyDN = null; 

  String firstAction, firstTarget, lastAction, lastTarget; 

  protected MSoDRule(){} 

  /**
   * This constructor creates the MSoDRule object. 
   *
   * @params context is the policy context for this MSoD rule
   * @params firstAction is the first action in this policy context
   * @params firstTarget is the target of the first action
   * @params lastAction is the last action in this policy context
   * @params lastTarget is the target of the last action
   * @params mmerv is a vector of the MMER rules in the MSoD policy for this policy context
   * @params mmepv is a vector of the MMEP rules in the MSoD policy for this policy context
   * 
   */
  public MSoDRule(String context, String firstAction,String firstTarget, String lastAction,String lastTarget, java.util.Vector mmerv, java.util.Vector mmepv) {
    contextName = context;
    this.firstAction = firstAction;
    this.firstTarget = firstTarget;
    this.lastAction = lastAction;
    this.lastTarget = lastTarget;
    mmerVec = mmerv;
    mmepVec = mmepv;
    try {
          policyDN = new ContextNamePrincipal(contextName);       	
    }      
    catch (Exception e)  {
        e.printStackTrace(System.err);
    }

  } 

  /**
   * This method is for determining if a context instance is governed by this MSoD rule, ie if the context instance is contained
   * by the policy context in this MSoD rule. 
   *
   * @param instanceDN is the input context instance. 
   *
   * @return true if instanceDN is contained by the policy context of this MSoD rule; otherwise false. 
   */
  public boolean contains(ContextNamePrincipal instanceDN){ 

      if ( policyDN.contains(instanceDN) ) {  // for hierarchical naming structure 
          return true;
      }
      return false;
  }

  /**
   * This method returns the policy context of this MSoD rule. 
   *
   * @return the ContextNamePrincipal of this MSoD rule. 
   */
  public ContextNamePrincipal getPolicyContext(){
      return policyDN; 

  }
  
  /**
   * This method is to determine if the input action and target is the last step in this context. 
   *
   * @param actionName is the action. 
   * @param targetName is the target of the action
   *
   * @return true if the action and target is the last step in this context in this MSoD rule; otherwise false. 
   */
  public boolean isLastStep(String actionName, String targetName){
      if ((lastAction!= null && lastTarget!= null) && actionName.compareTo(lastAction)==0 && targetName.compareTo(lastTarget) == 0) {
          return true;
      }
      return false; 
  } 

  /**
   * This method is to determine if this MSoD rule applies to this user access request. 
   * If this MSoD rule applies, then it means the user access request has broken the MSoD rule and it should be forbidden by this 
   * MSoD rule, and this method will return true; otherwise this method will return false. 
   *
   * @param retainedADI is the retained ADI, it contains the access request decisions in history
   * @param creds is the user credential
   * @param subject is the user subject 
   * @param a is the user action
   * @param t is the user requested target
   * @param environment is the environment of the decision by PERMIS 
   * @param instanceDN is the context instance name of this user requested action
   *
   * @return true if this MSoD rule applies to this user requested access; otherwise false. 
   */
  public boolean separationOfDutiesApplies( RetainedADI retainedADI, 
                issrg.pba.Credentials creds, 
				issrg.pba.Subject subject, issrg.pba.Action a, 
				issrg.pba.Target t, java.util.Map environment,
                ContextNamePrincipal instanceDN){
      String userID = (String) ( (issrg.pba.rbac.PermisSubject)subject).getName();

      Vector userCredsVec = ((SetOfSubsetsCredentials)creds).getValue(); 
            //array of ExpirableCredentials, possessed by the user
    
      String actionName = a.getActionName();
      String targetName = ((PermisTarget)t).getName();

      Vector roleVec = null;
      Vector historyVector = retainedADI.getHistoryRecords(policyDN, instanceDN, userID) ; // vector of Decision Record
      issrg.pba.Credentials historySSC = null;  // SSC is short for SetOfSubsetsCredentials

      int historySize = (historyVector==null)?0:historyVector.size();
      for (int j = 0; j< historySize ; ++j ) {
          DecisionRecord dr = (DecisionRecord) historyVector.get(j);
          if (historySSC == null) {
              historySSC = dr.getCreds(); 
          } else {
              historySSC.union(dr.getCreds() );
          }
      }
      if (historySSC!= null) {
          roleVec = ((SetOfSubsetsCredentials)historySSC).getValue();
      }

      if (mmerVec != null ) {
          boolean matchResult = false; 
          for (int i = 0; i<mmerVec.size(); ++i) {
              MMERUnit mmerUnit = (MMERUnit) mmerVec.get(i);  
              mmerUnit.startMatch();
              matchResult = mmerUnit.MMERMatches(userCredsVec);
              if (matchResult ){ // if true: ForbiddenCardinality reached
                  return true; 
              } else if (mmerUnit.getMatchCount() == 0 ) {
                  continue; // this mmerUnit doesn't apply to this access request; so try next
              }

              if (historyVector == null) {
                  continue; 
              }

              if (roleVec!=null && mmerUnit.MMERMatches(roleVec ) ) { // if true:  ForbiddenCardinality reached 
                  return true; 
              }
          }
      }

      if (historyVector == null) { // because without past history, the current action should 
            //always be granted if TAP allows it
                  return false; 
      }
      if ( mmepVec != null ) {
          boolean matchResult = false; 
          for (int i = 0; i<mmepVec.size(); ++i) {
              MMEPUnit mmepUnit = (MMEPUnit) mmepVec.get(i);  
              mmepUnit.startMatch();
              matchResult = mmepUnit.MMEPMatches(actionName, targetName);

              if ( mmepUnit.getMatchCount() == 0 ) { 
                  continue; // this mmepUnit doesn't apply to this access request; so try next
              }

              historySize = historyVector.size();
              for (int j = 0; j< historySize ; ++j ) {
                  DecisionRecord dr = (DecisionRecord) historyVector.get(j);
                  if ( mmepUnit.MMEPMatches(dr.getAction(), dr.getTarget() ) ) { 
                      return true; 
                  }
              }
          }
      }

	   return false;
   }


}