allocationpolicy.java

一个完整的XACML工程,学习XACML技术的好例子!

/*
 * Copyright (c) 2000-2005, University of Salford
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * Redistributions of source code must retain the above copyright notice, this
 * list of conditions and the following disclaimer.
 *
 * Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation
 * and/or other materials provided with the distribution.
 *
 * Neither the name of the University of Salford nor the names of its
 * contributors may be used to endorse or promote products derived from this
 * software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

/*
* Copyright (c) 2006, University of Kent
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without 
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this 
* list of conditions and the following disclaimer.
* 
* Redistributions in binary form must reproduce the above copyright notice, 
* this list of conditions and the following disclaimer in the documentation 
* and/or other materials provided with the distribution. 
*
* 1. Neither the name of the University of Kent nor the names of its 
* contributors may be used to endorse or promote products derived from this 
* software without specific prior written permission. 
*
* 2. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS  
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
* PURPOSE ARE DISCLAIMED. 
*
* 3. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
* POSSIBILITY OF SUCH DAMAGE.
*
* 4. YOU AGREE THAT THE EXCLUSIONS IN PARAGRAPHS 2 AND 3 ABOVE ARE REASONABLE
* IN THE CIRCUMSTANCES.  IN PARTICULAR, YOU ACKNOWLEDGE (1) THAT THIS
* SOFTWARE HAS BEEN MADE AVAILABLE TO YOU FREE OF CHARGE, (2) THAT THIS
* SOFTWARE IS NOT "PRODUCT" QUALITY, BUT HAS BEEN PRODUCED BY A RESEARCH
* GROUP WHO DESIRE TO MAKE THIS SOFTWARE FREELY AVAILABLE TO PEOPLE WHO WISH
* TO USE IT, AND (3) THAT BECAUSE THIS SOFTWARE IS NOT OF "PRODUCT" QUALITY
* IT IS INEVITABLE THAT THERE WILL BE BUGS AND ERRORS, AND POSSIBLY MORE
* SERIOUS FAULTS, IN THIS SOFTWARE.
*
* 5. This license is governed, except to the extent that local laws
* necessarily apply, by the laws of England and Wales.
*/

package issrg.pba.rbac.policies;

import issrg.pba.repository.AuthTokenRepository;
import issrg.pba.Credentials;
import issrg.pba.DelegatableToken;
import issrg.pba.ParsedToken;
import issrg.utils.repository.TokenLocator;
import issrg.pba.PbaException;
import issrg.pba.rbac.Clock;
import issrg.pba.rbac.RuleComparator;
import issrg.pba.rbac.CustomisePERMIS;
import issrg.pba.rbac.LDAPDNPrincipal;
import issrg.pba.rbac.SetOfSubsetsCredentials;
import java.util.Vector;
import issrg.utils.repository.Entry;



/**
 * This class represents an Allocation and Delegation Policy. Its responsibility
 * is to return a set of Credentials (Roles in Permis) that have been assigned
 * to the subject in accordance with the (Role) Assignment policy and delegation
 * rules.
 *
 * <p>This class is quite abstract and can be used for many other projects,
 * even non-role based, and non-AC based, because it operates on abstract
 * authorisation tokens and credentials.
 *
 * <p>The delegation model assumed is: the policy states a number of trusted
 * Sources of Authority, along with the specification of what they can delegate
 * and to whom; these entities can delegate their powers or subset of it 
 * (i.e.&nbsp;the Credentials specified in the policy or the subset of it) to
 * the other entities that must be from their Subject Domain. This way a 
 * delegation chain is established from one of the Sources of Authority (SOAs)
 * to the end users. 
 *
 * <p>AllocationPolicy can recursively trace the delegation 
 * chains by looking up the Authorisation Tokens of the Issuer of each 
 * Authorisation Token available to it, until one of the SOAs is reached.
 * To validate the chain, the same rule is applied on each iteration: the
 * subordinate authority can have the same or less power as the superior 
 * authority; so a subordinate authority has the intersection of the Credentials
 * that it has in the Authorisation Tokens with the Credentials of the superior 
 * authority, the Subject 
 * Domain is an intersection of the superior's Subject Domain and the 
 * subordinate's Subject Domain excluding the subordinate himself, the 
 * delegation depth is at most one less than the delegation depth of the 
 * superior authority.
 *
 * @author A Otenko
 * @version 0.1
 */

public class AllocationPolicy {
    
    // * <p>TODO: implement something like CacheMaintainer object for efficiency.
    
    protected Clock theClock = CustomisePERMIS.getSystemClock(); // this is needed to maintain the Cache properly - we don't rely on System time directly

    java.util.Map assignmentRules = null;
    Subtree coverageDomain = null;
    RuleComparator comparator = null;
    
    protected AllocationPolicy(){}
    
    /**
     * The constructor builds a policy out of assignment Rules and the 
     * reference to
     * the AuthTokenParser. The constructor updates the rules in such a way, 
     * that
     * the SOA name becomes case insensitive.
     *
     * <p>The rule set contains a special rule, which is the coverage domain of
     * the whole AllocationPolicy. This rule is found by using Subtree.class as
     * the key, and the value is assumed to be a Subtree.
     *
     * @param assignmentRules is a Map of Vectors of AssignmentRule objects; the
     *      key for each AssignmentRule collection is the SOA's DN
     * @param comparator defines the preference in validation of Authorisation 
     *      Tokens, so that the most relevant ones are validated first, and the
     *      less relevant or irrelevant ones are not validated at all; if it is
     *      null, the default RuleComparator will be used as defined in 
     *      CustomisePERMIS.getComparator()
     *
     * @see issrg.pba.rbac.CustomisePERMIS#getComparator
     */
    public AllocationPolicy(java.util.Map assignmentRules, RuleComparator comparator) {
        coverageDomain = (Subtree)(assignmentRules.remove(Subtree.class));
        
        this.assignmentRules = assignmentRules;
        Object [] keys = assignmentRules.keySet().toArray();
        
        for (int i=keys.length; i-->0;){
            assignmentRules.put(keys[i].toString().toUpperCase(), assignmentRules.remove(keys[i]));
        }

        if (comparator==null) comparator = CustomisePERMIS.getComparator();
        this.comparator = comparator;
    }

    /**
     * This constructor builds an AllocationPolicy with the default 
     * RuleComparator; this is a shortcut to AllocationPolicy(assignmentRules, null)
     * See that constructor for details of the meaning.
     *
     * @see AllocationPolicy(java.util.Map,RuleComparator)
     */
    public AllocationPolicy(java.util.Map assignmentRules){
      this(assignmentRules, null);
    }

    /**
     * This method does the allocation. It picks the Authorisation Tokens from 
     * the
     * given Authorisation Token Repository (assuming it returns only valid
     * tokens), and uses AuthTokenParser to retrieve the credentials. After that
     * it applies each Assignment Rule to ensure that the credentials have been 
     * assigned
     * according to the policy; all credentials that do not comply to the policy 
     * are discarded
     * and a credentials object containing only complying credentials is 
     * returned.
     *
     * <p>Note that if the User does not match any Subject Domain, an exception 
     * will
     * be thrown.
     *
     * <p>X.509 semantics: It picks all recognisable Roles
     * from the given set of Attribute Certificates, then it exercises the 
     * actual Role assignment: looks
     * what roles from the given set of ACs could have been delegated by the 
     * AC
     * issuer. The latter step involves RoleAssignmentPolicy interpretation, 
     * with
     * SubjectDomain matching, Role matching, SOA matching and the delegation
     * depth matching. The resulting Role will contain validity, as calculated
     * by combining the AC Validity time and Validity restrictions in the
     * RoleAssignmentPolicy.
     *
     * <p>The issuer name is case insensitive.
     *
     * <p>End of recursion:<br>
     * 0. All the roles have been granted by the SOA (which should have been
     * defined in the SOAPolicy)<br>
     * 1. The delegator is already being calculated in this recursion (somewhere
     * down the stack). (Thus eliminating delegation loops; such delegations are
     * invalidated; depending on the role caching mechanism, a flag can be set
     * the role assignment to be calculated later)<br>
     * 2. No ACs obtained for the delegator.<br>
     *
     * @param who is the user identifier; it contains either user DN, or the 
     *      PKC
     *      Issuer DN+Serial Number; it is used when performing SubjectDomain 
     *      match and to retrieve the Authorisation Tokens of the Subject
     * @param acR is the repository with the Authorisation Tokens the user has 
     *      got;
     *      it is assumed the signature has already been verified, when the 
     *      Authorisation Tokens
     *      are retrieved; if null, no AuthorisationTokens can be obtained for
     *      the Subject, so only public access can be granted at decision time
     *      (an empty set of Credentials will be returned)
     */
     public issrg.pba.Credentials getCredentials(TokenLocator who, AuthTokenRepository acR) throws PbaException{
        Vector holders = new Vector();
        holders.add(who.getEntry());              
        
        if (coverageDomain==null || !coverageDomain.contains(who.getEntry())){
            throw new PbaException("User is out of the Subject Domain");
        }
        
        try{
            java.util.Vector tmp;
            Entry issuer;
            issrg.pba.Credentials sumCreds = new SetOfSubsetsCredentials(); //this is the total credentials of "who"
            ParsedToken[] a;
            if (acR != null){ // acR may be null in some cases - i.e. if PERMIS was initialised in a weird way; empty set of Credentials will grant public access
              a = acR.getParsedAuthTokens(who);
              if (a != null)      // anything has been retrieved
                for (int i=a.length; i-->0; ){ 
                    ParsedToken token = a[i];
                    if (token==null) continue;
                    if (!who.getEntry().getEntryName().equals(token.getHolder().getEntryName())) continue; // ignore this AC
                    
                    TokenLocator issuerTokenLocator = token.getIssuerTokenLocator();
                    issrg.pba.Credentials credentials = token.getCredentials();                        
                    Credentials o = validate(who.getEntry(), issuerTokenLocator, credentials, acR, holders);  
                    if ((o != null)){
                      sumCreds = sumCreds.union(o); //sumCreds is added-up by the valid credentials of the current AC                        
                    }
                }
            }
            return sumCreds;
        }catch (PbaException e){
            throw e;
        }catch (Throwable th){
            throw new PbaException("Internal error", th);
        }
    }    
    
     /**
     * This method checks if there is a loop in the delegation chain. This kind 
     * of loop assignment can happen when issuer uses ACM tool to issue ACs.
     * The issuer of an AC in a delegation chain should not be a holder in that 
     * delegation chain.
     *
     * @param holders - a Vector of holder Entry objects discovered along the 
     *    chain
     * @param issuer - the Entry that should not be among the holders
     *
     * @return true, if the issuer is among the holders; false otherwise
     */