📄 allocationpolicy.java
字号:
private boolean checkLoopAssignment(Vector holders, Entry issuer) {
int size = holders.size();
for (int i = 0; i < size; i++) {
Entry e = (Entry) holders.get(i);
if (e.getEntryName().getName().equals(issuer.getEntryName().getName())) return true;
}
return false;
}
/**
* This method validates a requested set of Credentials.
*
* @param holder is the holder Entry. It is matched against the Subject
* Domain of the issuer's RAR
* @param issuerTokenLocator specifies the location of the issuer's
* Authorisation Tokens
* @param credentials is the credentials asserted by the holder and issued
* by the issuer identified by issuerTokenLocator
* @param acR is the default repository for the Authorisation Tokens; if
* null, the Authorisation Token Repository mentioned in the
* issuerTokenLocator will be used; if neither is specified, the issuer's
* Authorisation Tokens cannot be found and the assignment will only be
* validated using the RARs available in the policy
* @param holders is the vector that stores list of holders on the
* delegation path; it is used for detecting loops in assignment
*
* @return validated credentials
*/
public Credentials validate(Entry holder, TokenLocator issuerTokenLocator, Credentials credentials, AuthTokenRepository acR, Vector holders) throws PbaException {
//@Gansen : The following 3 lines were the original code. We keep a copy here in case of bugs
Object o = validate(holder, issuerTokenLocator, (Object) credentials, acR, holders);
if (o instanceof Credentials) return (Credentials)o; else {
throw new PbaException("Validating Credentials failed: Credentials was expected, but "+o.getClass()+" found");
}
//
// boolean bValidationSuccess=false;
// Object o = validate(holder, issuerTokenLocator, (Object) credentials, acR, holders);
//
// //there are 2 ways that this function failed.
// //the first is that, it return a set of rars,
// //the second one is that, it returns an empty set of credentials
// if(o instanceof Credentials ){//returns a set of credentials
// //try to test if the set is empty or not
// Credentials result=(Credentials) o;
// }
//
// if (o instanceof Credentials) return (Credentials)o; else {
// throw new PbaException("Validating Credentials failed: Credentials was expected, but "+o.getClass()+" found");
// }
}
/**
* This function validates a requested RAR.
*
* @param holder is the Entry of the holder of the asserted RAR
* @param issuerTokenLocator specifies the location of the issuer's
* Authorisation Tokens
* @param rule is the RAR asserted by the holder and issued by the issuer
* identified by issuerTokenLocator
* @param acR is the default repository for the Authorisation Tokens; if
* null, the Authorisation Token Repository mentioned in the
* issuerTokenLocator will be used; if neither is specified, the issuer's
* Authorisation Tokens cannot be found and the assignment will only be
* validated using the RARs available in the policy
* @param holders is the vector that stores list of holders on the
* delegation path; it is used for detecting loops in assignment
*
* @return a vector of validated RARs, each element of which is an
* AssignmentRule
*/
public Vector validate(Entry holder, TokenLocator issuerTokenLocator, AssignmentRule rule, AuthTokenRepository acR, Vector holders) throws PbaException {
Object o = validate(holder, issuerTokenLocator, (Object) rule, acR, holders);
if (o instanceof Vector) return (Vector)o; else {
throw new PbaException("Validating RARs failed: Vector of RARs was expected, but "+o.getClass()+" found");
}
}
/**
* This function validates a RAR or Credentials. It will retrieve the
* issuer's Authorisation Tokens from a repository and validate
* the requested object. Note that issuer's Authorisation Tokens will be
* sorted according to suitability for the requested object using the
* RuleComparator specified at construction time and is
* validated one
* by one until the constrained result is "good enough" (the criterion is
* specified by the RuleComparator, too).
*
* <p>The logic of it is: "discover the chain from user to one of the SOAs,
* then validate the chain back from SOA to user". Discovering
* the chain
* starts with the end entity and stops with the SOA. It gets the asserted
* rules of intermediate
* issuers from their attributes and tries to recursively validate these
* rules. To
* validate a rule, it has to get the valid rules of the issuer of this
* rule.
*
* <p>At the last step, it gets rules of SOA out of the policy (which are
* valid, since they
* come from the policy, do not
* check) and validates the rules issued by the SOA to subordinates. Then
* the recursion comes back down the chain from SOA to end entity and
* validates the
* rules on its way and finally validates rules/Credentials of the end
* entity.
*
* <p>First of all, the function get the issuer's valid RARs
* (validIssuerRARs) from the assginmentRules object. This object comes
* from the policy and it stores the valid RARs of each SOA.
* <ol>
* <li>If the validIssuerRARs is not null then the issuer of the holder's
* attribute is a SOA</li>
* <ol>
* <li>With each issuer's RAR, constrain (allocate) the assertion and
* union the results</li>
* <li>After the above step, the results is returned because a SOA is
* the issuer</li>
* </ol>
* <li>If the validIssuerRARs is null then the issuer of the holder's
* attribute is not a SOA</li>
* <ol>
* <li>Get the issuer's parsed tokens from issuerTokenLocator and put them
* on the issuerTokens vector (after some checks)</li>
* <li>If the issuerTokens is empty then the issuer does not have any
* attribute so the assertion can not be valid. Return with empty
* object result.<br>
* Otherwise, go to the next step.</li>
* <li>Call the Comparator object and sort the issuerTokens according to
* the assertion and the sorting rules in the comparator object.</li>
* <li>For each issuer's parsed token, do the following:
* <ol>
* <li>If the token is not a delegateable token, throw it away and continue
* with the next token</li>
* <li>Get the assignment rule (RAR) from the current DelegatableToken.</li>
* <li>If the issuer (issuerToken.getHolder()) is one of the holder in the
* holders vector then there is a loop assignment. Throw the token
* away and continue with the next token</li>
* <li>Add the issuer to the holders vector. The issuer now is one of the
* entry in the delegation chain.</li>
* <li>Validate the issuer's RAR. This step will make a recursive call.
* Get the vector of valid RARs. The result here is a vector of RARs
* because one issuer may have some valid attributes and each valid
* attribute may result one valid RAR</li>
* <li>One delegation chain from the issuer to one of the SOA has been
* validated. Remove the issuer from the holders vector.<br>
* Note: just one (yes, one) delegation chain from the issuer to one
* of the SOA has been validated.</li>
* <li>With the valid vector of RARs of the issuer, constrain the request
* to get the valid credentials or RARs</li>
* <li>Use the comparator to check that the valid result is good enough
* for the request. If it is ok, return the results, otherwise,
* continue with the next issuer's parsed token. The
* isSufficient method of the default RuleComparator is very simple -
* if the result is not empty then it is fine. What is "enough"
* depends on purpose and it can be modified and plugged in the Permis
* by the comparator object via the CustomisePERMIS class.</li>
* </ol>
* </ol>
* </ol>
*
* @param holder is the Entry of the holder of the asserted RAR
* @param issuerTokenLocator specifies the location of the issuer's
* Authorisation Tokens
* @param assertion is either the RAR or Credentials asserted by the holder
* and issued by the issuer
* identified by issuerTokenLocator
* @param acR is the default repository for the Authorisation Tokens; if
* null, the Authorisation Token Repository mentioned in the
* issuerTokenLocator will be used; if neither is specified, the issuer's
* Authorisation Tokens cannot be found and the assignment will only be
* validated using the RARs available in the policy
* @param holders is the vector that stores list of holders on the
* delegation path; it is used for detecting loops in assignment
*
* @return an Object, the type of which depends on the type of assertion;
* if the assertion is Credentials, the result is a Credentials;
* otherwise it is Vector of valid RARs, each element being an
* AssignmentRule
*
* @see issrg.pba.rbac.CustomisePERMIS
* @see issrg.pba.rbac.xmlpolicy.DefaultRuleComparator
*/
private Object validate(Entry holder, TokenLocator issuerTokenLocator, Object assertion, AuthTokenRepository acR, Vector holders) throws PbaException {
issrg.pba.Credentials emptyCred = new SetOfSubsetsCredentials();
//sumup is used to store the valid credentials. If the assertion is credentials then this function will return the sumup credentials
Credentials sumup = assertion instanceof Credentials ? new SetOfSubsetsCredentials() : null;
//validRARs stores the valid RARs. If the assertion is a RAR then this function will return the validRARs vector
Vector validRARs = assertion instanceof Credentials ? null : new Vector();
Object result = assertion instanceof Credentials ? (Object)sumup : (Object)validRARs;
Vector validIssuerRARs = new Vector();
Vector tmp = (java.util.Vector)assignmentRules.get(issuerTokenLocator.getEntry().getEntryName().getName().toUpperCase());
if (tmp!=null) validIssuerRARs.addAll(tmp); // add any rules given to the specific SOA, if any
tmp = (java.util.Vector)assignmentRules.get("");
if (tmp!=null) validIssuerRARs.addAll(tmp); // add any rules given to "ANY" SOA, if any rules are present
ParsedToken[] issuerToks=null;
Vector issuerTokens = new Vector();
AssignmentRule assertRule = null;
AssignmentRule validRule = null;
try {
if (validIssuerRARs != null) {
for (int i = 0; i < validIssuerRARs.size(); i++) {
AssignmentRule validSOARAR = (AssignmentRule) validIssuerRARs.get(i);
if (assertion instanceof Credentials) {
Credentials credentials = validSOARAR.allocate(holder,(Credentials) assertion);
if ((credentials != null) && !(credentials.equals(emptyCred))) {
sumup = sumup.union(credentials);
}
result = sumup;
} else {
Vector rules = validSOARAR.allocate(holder, (AssignmentRule)assertion);
//rules is always not null
validRARs.addAll(rules);
result = validRARs;
}
}
// if the result of applying the RARs from the policy does not yield
// a sufficient result, assume there were no RARs in the policy
// i.e. validIssuerRARs=null
if (!comparator.isSufficient(null, null, assertion, result)) validIssuerRARs=null;
}
if (validIssuerRARs == null) { // there were no RARs in the policy,
// or applying them wasn't sufficient - look for Authorisation Tokens of the Issuer
if (acR!=null) issuerToks = acR.getParsedAuthTokens(issuerTokenLocator);
if (issuerToks != null) {
for (int i = 0; i < issuerToks.length; i++) {
ParsedToken tok = issuerToks[i];
if (tok==null) continue;
if (!issuerTokenLocator.getEntry().getEntryName().equals(tok.getHolder().getEntryName())) continue;
issuerTokens.add(tok);
}
}
}
if ((!issuerTokens.isEmpty())) {
ParsedToken[] issuerOrderedTokens = comparator.predict(assertion, issuerTokens, holder);
//after predict function, issuerToken should be a DelegatableToken
no_more_tokens:
for (int i = 0; i < issuerOrderedTokens.length; i++) {
ParsedToken issuerToken = issuerOrderedTokens[i];
if (!(issuerToken instanceof DelegatableToken)) continue;
DelegatableToken issuerDT = (DelegatableToken) issuerToken;
AssignmentRule aRule = new AssignmentRule(issuerDT.getSubjectDomain(), issuerDT.getDepth(), issuerDT.getDelegateableCredentials());
if ((issuerDT.getDepth()>-1 && issuerDT.getDepth()+1<holders.size()) // ignore the Tokens whose Delegation Depth is smaller than the length of the rest of the chain
|| checkLoopAssignment(holders, issuerToken.getHolder())) continue;
holders.add(issuerTokenLocator.getEntry());
Vector v = validate(issuerToken.getHolder(), issuerToken.getIssuerTokenLocator(), aRule, acR, holders);
holders.remove(issuerTokenLocator.getEntry());
for (int j = 0; j < v.size(); j++) {
AssignmentRule vRule = (AssignmentRule)v.get(j);
if (assertion instanceof Credentials) {
Credentials credentials = vRule.allocate(holder, (Credentials) assertion);
if ((credentials != null) && !(credentials.equals(emptyCred))) {
sumup = sumup.union(credentials);
}
result = sumup;
} else {
Vector rules = vRule.allocate(holder, (AssignmentRule) assertion);
if (!(rules.isEmpty())) {
validRARs.addAll(rules);
}
result = validRARs;
}
if (comparator.isSufficient(aRule, vRule, assertion, result)) {
break no_more_tokens;
}
}
}
}
return result;
}catch (issrg.pba.PbaException e) {
throw e;
}
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -