📄 permisrbac.java
字号:
);
}
/**
* This is the root of the family of all getCreds; it can do both push and
* pull, and can set credentials lifetime for the given subject.
*
* @param subjectDN is the identifier of the subject; when X.509 flavour is
* configured it must contain either
* the PKC subject DN, or the PKC SerialNumber and Issuer DN, or both
* @param creds is an array of Authorisation Tokens (e.g. AttributeCertificates
* to use (push model); can
* be <code>null</code> (pull model)
* @param repository - the AuthTokenRepository from which the missing
* Authorisation
* Tokens will be obtained; if null, the AuthTokenRepository provided at
* construction time will be used; if creds is not null, this parameter
* is ignored
* @param service is attached to the Subject object, and will be called each
* time a decision is made; this way, for example, it is possible to
* expire the Subject object by throwing an exception
*/
protected Subject getCreds(UserEntry subjectDN,
Object [] creds,
issrg.pba.repository.AuthTokenRepository repository,
CredentialsService service) throws PbaException{
if (logger.isDebugEnabled()){
logger.debug("getCreds received: ");
logger.debug("SubjectDN: " +subjectDN.getEntryName().getName());
}
if (logger.isDebugEnabled()){
if (creds == null){
logger.debug("Creds is empty" );
}else{
logger.debug("Creds: " + creds);
}
}
try{
String AttributeName="";
if (repository==null) repository = this.Repository;
if (creds!=null){
issrg.utils.repository.VirtualRepository vRepository = new issrg.utils.repository.VirtualRepository();
repository = new issrg.simplePERMIS.SimplePERMISAuthTokenRepository(vRepository, authParser);
for (int i=0; i<creds.length; i++){
issrg.pba.ParsedToken token = null;
try{
token = authParser.decode(creds[i]);
if (logger.isDebugEnabled()){
logger.debug("[" +token.getHolder().getEntryName().getName()+ token.toString() +"] " + token.getCredentials().toString());
}
}catch(PbaException e){
token=null;
}
if(token!=null)
vRepository.populate(subjectDN.getEntryName().getName(), CustomisePERMIS.getAttributeCertificateAttribute(), token);
}
}
// here repository is the repository to use for retrieval
/*
* TODO: at the moment I am stating -1 delegation depth - unlimited
*/
if (logger.isDebugEnabled()){
logger.debug("creating new PermisSubject ");
}
return new issrg.pba.rbac.PermisSubject(this,
subjectDN.getEntryName(),
service,
policyFinder.getPolicyOID(),
policyFinder.getAllocationPolicy().getCredentials(subjectDN, repository));
}catch (Throwable th){
throw new PbaException("Failed to get credentials: "+th.getMessage(), th);
}
}
/**
* This method returns the full list of environmental attributes in the current policy,
* which is represented as an array of environment nodes
* @return an array of EnvironmentNode
*/
public issrg.pba.rbac.xmlpolicy.ifstatement.EnvironmentNode[] getEnvAttributes() {
if (logger.isDebugEnabled()){
logger.debug("get the array of environment nodes");
}
XMLPolicyParser xpp = (XMLPolicyParser)this.getPolicyFinder().getParsedPolicy();
return xpp.getEnvAttributes();
}
/**
* This method fills in the default variables that this version of
* PermisRBAC requires.
*/
protected java.util.Map initEnv(java.util.Map env){
if (env==null){
env=new java.util.Hashtable();
}
// add your variables here
if (env.get(TIME_VARIABLE)==null){
env.put(TIME_VARIABLE, this.clock);
}
return env;
}
/**
* This method is called by gc (JVM's Garbage Collector) when the Permis
* RBAC object is no longer
* referenced.
*/
public void finalize(){
//this.State=this.UNINITIALISED;
}
/**
* This constructor constructs a PermisRBAC object based on the provided
* PolicyFinder Object. Using PolicyFinder, physical details of accessing
* and retreiving policies can be hidden from Permis.
*
* <p>Users should implement corresponsding PolicyFinder Subclass to allow
* PermisRBAC to access different formats of policies from different
* sources. A number of PolicyFinder implementations are provided by Permis.
*
* <p>Note that there is no AttributeRepository attached explicitly, so
* either the policy should contain a RepositoryPolicy, or PERMIS will work
* in push mode only.
*
* @param pf is the PolicyFinder that provides access to the policies that
* are used by PermisRBAC engine.
*
* @see issrg.pba.PolicyFinder
*/
public PermisRBAC(PolicyFinder pf) throws PbaException {
this(pf, (String[])null, null);
}
/**
* This constructor builds a PermisRBAC object given a PolicyFinder, a URL
* of a single Attribute Repository with the Authorisation Tokens in it,
* and the AuthTokenParser to use. The Attribute Repositories are
* constructed from URLs using URLHandler.getRepositoryByURL, so the
* appropriate URLHandlers must be registered.
*
* <p>This is a shortcut for
* PermisRBAC(pf, new String[]{url}, authParser);
*
* @param pf - the PolicyFinder that provides the policy
* @param url - the URL of the single AttributeRepository with
* AuthorisationTokens; if null, the Repositories mentioned in the policy
* will be used, or PERMIS will work in push mode only, if none are
* specified in the policy
* @param authParser - the AuthTokenParser to use for parsing the
* Authorisation Tokens, obtained from the Attribute Repositories; if null
* the default AuthTokenParser will be used, as returned by
* CustomisePERMIS.getAuthTokenParser
*
* @see CustomisePERMIS#getAuthTokenParser
* @see CustomisePERMIS#addURLHandler
* @see URLHandler#getRepositoryByURL
* @see URLHandler#addProtocol(URLHandler)
*/
public PermisRBAC(PolicyFinder pf, String url, issrg.pba.AuthTokenParser authParser) throws PbaException {
this(pf, url==null?(String[])null:new String[]{url}, authParser);
}
/**
* This constructor builds a PermisRBAC object given a PolicyFinder, an
* array of URLs
* of Attribute Repositories with the Authorisation Tokens in them,
* and the AuthTokenParser to use. The Attribute Repositories are
* constructed from URLs using URLHandler.getRepositoryByURL, so the
* appropriate URLHandlers must be registered.
*
* @param pf - the PolicyFinder that provides the policy
* @param urls - the URLs of the AttributeRepositories with
* AuthorisationTokens; if null, the Repositories mentioned in the policy
* will be used, or PERMIS will work in push mode only, if none are
* specified in the policy
* @param authParser - the AuthTokenParser to use for parsing the
* Authorisation Tokens, obtained from the Attribute Repositories; if null
* the default AuthTokenParser will be used, as returned by
* CustomisePERMIS.getAuthTokenParser
*
* @see CustomisePERMIS#getAuthTokenParser
* @see CustomisePERMIS#addURLHandler
* @see URLHandler#getRepositoryByURL
* @see URLHandler#addProtocol(URLHandler)
*/
public PermisRBAC(PolicyFinder pf, String[] urls, issrg.pba.AuthTokenParser authParser) throws PbaException {
this(pf, getRepositories(urls), authParser);
}
/**
* This constructor is used by all other constructors indirectly.
* @param pf - the PolicyFinder that locates the policy; if null,
* initialisation fails
* @param ar - the AttributeRepository used to retrieve Authorisation
* Tokens; if null, PERMIS will use the repositories specified in the
* policy, but if no repositories are specified there,
* PERMIS will work only in push mode (i.e. calls to getCreds without
* pushed authorisation tokens will yield subjects with no credentials)
* @param authParser - the AuthTokenParser used to decode the Authorisation
* Tokens
* pushed or pulled from repository; if null, the default AuthTokenParser
* set in CustomisePERMIS will be used
*
* @see CustomisePERMIS#getAuthTokenParser
* @see CustomisePERMIS#addURLHandler
* @see URLHandler#getRepositoryByURL
* @see URLHandler#addProtocol(URLHandler)
*/
public PermisRBAC(PolicyFinder pf, AttributeRepository ar, issrg.pba.AuthTokenParser authParser) throws PbaException {
if (logger.isDebugEnabled()){
logger.debug("logging enabled");
}
if (pf==null) throw new PbaException("Initialisation failed: no PolicyFinder was specified");
policyFinder=pf;
if (logger.isDebugEnabled()){
logger.debug("PolicyFinder loaded");
}
clock = CustomisePERMIS.getSystemClock();
if (logger.isDebugEnabled()){
logger.debug("clock set");
}
if (authParser==null){
if (logger.isDebugEnabled()){
logger.debug("Setting up Token Parser");
}
authParser = CustomisePERMIS.getAuthTokenParser();
authParser.setAuthTokenParsingRules(pf.getParsedPolicy().getAuthTokenParsingRules());
authParser.setSignatureVerifier(pf.getSV());
if (logger.isDebugEnabled()){
logger.debug("Token Parser Configured");
}
}
AttributeRepository ar1=getRepositories(pf.getParsedPolicy().getRepositoryURLs());
if (ar!=null || ar1!=null) ar=new MultiRepository(new AttributeRepository[]{ar, ar1});
if (logger.isDebugEnabled()){
logger.debug("Configuring repository");
}
this.Repository = ar==null?null:new issrg.simplePERMIS.SimplePERMISAuthTokenRepository(ar, authParser);
if (logger.isDebugEnabled()){
logger.debug("Repository configured");
}
this.authParser = authParser;
}
/**
* This method returns the time-out parameter of the system.
*/
public int getTimeOut(){
return TIMEOUT;
}
/**
* This utility method will build a MultiRepository given a list of URLs.
* If a repository could not be contacted, it is removed from the list.
* Query
* the getRepositories methods on MultiRepository to see what repositories
* are used.
*
* @param urls - the array of URLs for which a MultiRepository is built;
* Bad URLs or
* Repositories that could not be contacted, are ignored
*
* @return MultiRepository that connects to all the specified URLs
* simultaneously, or null, if urls is null
*/
public static issrg.utils.repository.MultiRepository getRepositories(String [] urls) {
if (urls==null) return null;
issrg.utils.repository.AttributeRepository [] reps = new issrg.utils.repository.AttributeRepository [urls.length];
for (int i=0; i<reps.length; i++){
reps[i]=null; // no repository associated with the i-th URL
try{
reps[i]= URLHandler.getRepositoryByURL(urls[i]); // try to connect to the repository
}catch(BadURLException bue){
// log the error...
}
}
// build the multi-repository for simultaneous access to the specified repositories
return new issrg.utils.repository.MultiRepository(reps);
}
/**
* This method builds a MultiRepository that accesses two sets of
* repositories
* simultaneously. Either or both arrays can be null.
*
* <p>This method is useful when initialising PERMIS RBAC with two sets
* of repositories: one read from a configuration, one obtained from a
* policy.
* Both sets are treated equally and neither is excluded from use.
*
* @param urls - the array of URLs; can be null
* @param urls2 - the array of URLs; can be null
*/
protected static issrg.utils.repository.MultiRepository getRepositories(String [] urls, String [] urls2) {
String [] u = null;
if (urls!=null || urls2!=null){
u = new String[urls.length+urls2.length];
if (urls==null) urls=new String[0];
if (urls2==null) urls2=new String[0];
System.arraycopy(urls, 0, u, 0, urls.length);
System.arraycopy(urls2, 0, u, urls.length, urls2.length);
}
// if both arrays are null, u array is null
// otherwise u is a combination of both arrays
return getRepositories(u);
}
/**
* This method returns the PolicyFinder used to initialise the object.
* Never null.
*/
public PolicyFinder getPolicyFinder(){
return policyFinder;
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -