accessrule.java

一个完整的XACML工程,学习XACML技术的好例子!

/*
* Copyright (c) 2000-2005, University of Salford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without 
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this 
* list of conditions and the following disclaimer.
* 
* Redistributions in binary form must reproduce the above copyright notice, 
* this list of conditions and the following disclaimer in the documentation 
* and/or other materials provided with the distribution. 
*
* Neither the name of the University of Salford nor the names of its 
* contributors may be used to endorse or promote products derived from this 
* software without specific prior written permission. 
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
* POSSIBILITY OF SUCH DAMAGE.
*/

package issrg.pba.rbac.policies;

import issrg.pba.Obligation;
import issrg.pba.Obligations;
import issrg.pba.rbac.xmlpolicy.ifstatement.Term;

/**
 * This is the object representing an Access Rule. It can verify if the given
 * set of credentials is enough to access certain target domain in accordance 
 * with
 * the IF-statement. It is not aware of what action it is applied to, this is 
 * the
 * responsibility of the caller to create an appropriate action definition, to
 * name the parameters to the action and pass this environment to this object
 * for decision making.
 * <p>
 * Note that if the rule does not allow access to the target, it does not mean
 * that access should be denied: there could exist another rule that allows the
 * action.
 * <p>
 * This is the kind of objects that are stored as the Target Access Policy.
 *
 * @see AccessPolicy
 *
 * @author A Otenko
 * @version 1.0
 */

public class AccessRule {

  private Subtree targetDomain;
  private Term ifStatement;
  private issrg.pba.Credentials cred;
  private Obligations oblgs;

  protected AccessRule(){}

  /**
   * This constructor builds the AccessRule object that can make a decision for
   * one Target Domain.
   *
   * @param targetDomain is the target domain to which this rule is applicable
   * @param cred is the minimal set of credentials that the user must possess 
   *    in
   *    order to access the target
   * @param ifStatement is the IF-statement that is applied in this rule
   */
  public AccessRule(Subtree targetDomain, issrg.pba.Credentials cred,
                    Term ifStatement) {
      //System.err.println("\t\t*** BUILDING AN ACCESS RULE ***\n\t"+cred); //*****
    this.targetDomain=targetDomain;
    this.ifStatement=ifStatement;
    this.cred=cred;
  }

  public AccessRule(Subtree targetDomain, issrg.pba.Credentials cred,
                    Term ifStatement, Obligations obligations) {
      this(targetDomain, cred, ifStatement);
      this.oblgs=obligations;
  }  

  /**
   * This method decides if the action can be performed or not. It compares if
   * the given set of credentials contains the initial set, if the target to
   * access is contained within the specified domain. If the target is in the 
   * specified domain
   * it then executes the IF-statement passing the action arguments and the 
   * environment to it.
   *
   * @param c is the credential the user possesses
   * @param t is the TargetADI of the target the user wants to access; note 
   *      that it is not an
   *      abstract target, it should be the Entry object, corresponding to
   *      the target; if it is not an Entry object, the target domain matching 
   *      cannot
   *      be performed, so the access is denied: false is returned
   * @param args is the collection of arguments to the action, indexed by the
   *      argument name; note that the argument type is defined inside the
   *      IF-statement
   * @param env is the environmental variables: the contextual ADI
   *
   * @return true, if access can be granted, false, if not (but this does not
   *   mean the policy denied access - there may be another rule that grants 
   *   access; deny access only if there was no rule that grants access)
   *
   * @throws PbaException, if anything goes wrong within the IF-statement
   */
  public boolean decide(issrg.pba.Credentials c,
                        Object t,
                        java.util.Map args,
                        java.util.Map env) throws issrg.pba.PbaException{
    if (!(t instanceof issrg.utils.repository.Entry &&
          targetDomain.contains((issrg.utils.repository.Entry)t)
         )){
      //System.out.println("target domain match: "+targetDomain.contains(t)); //***
      return false;
    }

      //System.err.println("credentials are contained : "+c.contains(cred) + cred + "**" + c); //****
    if (!c.contains(cred)){
      //System.err.println("credentials are contained: "+c.contains(cred)); //****
      return false;
    }

    if (ifStatement==null){
      return true;
    }

    Object result=ifStatement.evaluate(new issrg.pba.rbac.xmlpolicy.ifstatement.Environment(args, env));

    if (!(result instanceof Boolean)){
      throw new issrg.pba.rbac.xmlpolicy.ifstatement.EvaluationException("Evaluation error: the comparison result is not boolean");
    }

    return ((Boolean)result).booleanValue();
  }

  public String toString(){
    return "Access Rule: TargetDomain="+targetDomain+",\n required creds="+cred+",\n if-statement="+ifStatement;
  }

  // changed for MSoD, to get the activated role. 
  public issrg.pba.Credentials getCreds(){
      return cred;
  }
  
  
  /*
   * This function retrieves the obligations associated with the access rule. 
   * if no obligation is associated with the access rule, an empty object will 
   * be returned.
   * @return the object of a set of obligations. An empty object might be 
   * returned when no obligations are associated with it. 
   */
  public Obligations getObligations() {
      
      //Gansen 2006-6-29
      
      return this.oblgs;
  }
}