simplepermisacpolicyfinder.java

来自「一个完整的XACML工程,学习XACML技术的好例子!」· Java 代码 · 共 219 行

JAVA
219
字号
/*
* Copyright (c) 2006, University of Kent
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without 
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this 
* list of conditions and the following disclaimer.
* 
* Redistributions in binary form must reproduce the above copyright notice, 
* this list of conditions and the following disclaimer in the documentation 
* and/or other materials provided with the distribution. 
*
* 1. Neither the name of the University of Kent nor the names of its 
* contributors may be used to endorse or promote products derived from this 
* software without specific prior written permission. 
*
* 2. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS  
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
* PURPOSE ARE DISCLAIMED. 
*
* 3. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
* POSSIBILITY OF SUCH DAMAGE.
*
* 4. YOU AGREE THAT THE EXCLUSIONS IN PARAGRAPHS 2 AND 3 ABOVE ARE REASONABLE
* IN THE CIRCUMSTANCES.  IN PARTICULAR, YOU ACKNOWLEDGE (1) THAT THIS
* SOFTWARE HAS BEEN MADE AVAILABLE TO YOU FREE OF CHARGE, (2) THAT THIS
* SOFTWARE IS NOT "PRODUCT" QUALITY, BUT HAS BEEN PRODUCED BY A RESEARCH
* GROUP WHO DESIRE TO MAKE THIS SOFTWARE FREELY AVAILABLE TO PEOPLE WHO WISH
* TO USE IT, AND (3) THAT BECAUSE THIS SOFTWARE IS NOT OF "PRODUCT" QUALITY
* IT IS INEVITABLE THAT THERE WILL BE BUGS AND ERRORS, AND POSSIBLY MORE
* SERIOUS FAULTS, IN THIS SOFTWARE.
*
* 5. This license is governed, except to the extent that local laws
* necessarily apply, by the laws of England and Wales.
*/
package issrg.pba.rbac.x509;

import issrg.pba.*;
import issrg.pba.rbac.*;
import java.security.Principal;

import issrg.SAWS.*; // added for MSoD

/**
 * This is a simple Policy Finder that can be instantiated from an instance of
 * an X.509 Attribute Certificate. It is useful to extend from: collect the
 * Attribute Certificates, then invoke initPolicyFromACArray to initialise the
 * Policy Finder.
 *
 * @author gansen
 */
public class SimplePERMISACPolicyFinder extends PolicyFinder{
    
    private issrg.pba.AuthTokenParser tokenParser=CustomisePERMIS.getAuthTokenParser();

    protected SimplePERMISACPolicyFinder(){
      super();
    }
    
    /** 
     * This constructor builds a Policy Finder given an AC, the identifier of 
     * the policy and the identity of the policy issuer. Only if the AC holds
     * the required policy construction succeeds. This constructor invokes the
     * initPolicyFromACArray directly, see that method description for 
     * additional details.
     *
     * @param acBinary - the array of byte arrays, each representing a 
     *   BER-encoded or Base64 encoding of a BER-encoded X.509 AC
     * @param policyID - the identifier of the policy to use
     * @param SOA - the Principal naming the issuer of the policy (must be the
     *   Holder and Issuer of the self-signed Attribute Certificate)
     * @param SV - the SignatureVerifier to use; if null, digital signatures on 
     *   the ACs are not checked (NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS!)
     */
    public SimplePERMISACPolicyFinder(byte[] acBinary, String PolicyId, Principal SOA,
            SignatureVerifier SV) throws PbaException {
        this();
        initPolicyFromACArray(new byte[][]{acBinary}, PolicyId, SOA, SV);
    }
    
    /**
     * This method looks for the right policy among an array of X.509 Attribute
     * Certificates. The policy is identified by its Policy ID (OID in PERMIS
     * XML) and the name of the issuer of the policy. The signatures on the
     * ACs are validated using the SignatureVerifier provided, if any.
     *
     * @param acBinary - the array of byte arrays, each representing a 
     *   BER-encoded or Base64 encoding of a BER-encoded X.509 AC
     * @param policyID - the identifier of the policy to use
     * @param SOA - the Principal naming the issuer of the policy (must be the
     *   Holder and Issuer of the self-signed Attribute Certificate)
     * @param SV - the SignatureVerifier to use; if null, digital signatures on 
     *   the ACs are not checked (NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS!)
     */
    protected void initPolicyFromACArray(byte[][] acBinary, String policyID, Principal SOA,
            SignatureVerifier SV) throws PbaException{
        this.policyOID=policyID.intern();
        this.sv=SV;
        issrg.utils.repository.TokenLocator soaTokenLocator=new issrg.pba.repository.UserEntry(SOA);

        try{
          issrg.pba.PolicyParser pp = null;
          Throwable lastError = null; // this variable keeps the errors encountered during parsing the attributes
        
          String message = "No ACs have been provided";
        
          boolean selfSignedExists = false;
          boolean signatureVerified = false;
          boolean policyAttrExists = false;
          boolean correctPolicyOID = false;
          byte[] byteAC=null;
          issrg.ac.AttributeCertificate ac=null;
        
          if (acBinary!=null && acBinary.length>0){
            
policy_found:
            for (int i=0; i<acBinary.length; i++){
              try{
                byteAC=acBinary[i];
                ac = issrg.ac.AttributeCertificate.guessEncoding(byteAC);
                    
                if (!(SOA.equals(new LDAPDNPrincipal(issrg.ac.Util.generalNamesToString(ac.getACInfo().getHolder().getEntityName())))
                  && SOA.equals(new LDAPDNPrincipal(issrg.ac.Util.generalNamesToString(ac.getACInfo().getIssuer().getV1Form()==null?ac.getACInfo().getIssuer().getV2Form().getIssuerName():ac.getACInfo().getIssuer().getV1Form()))))){
                        // not self-issued and is not issued by the SOA
                  continue; // pick next AC
                }
              }catch(Exception e){
                //error occurs, we just ignore and search for the next one
                lastError=lastError==null ? e : new issrg.utils.ExceptionPairException(lastError, e);
                continue;
              }
            
              selfSignedExists = true;
              signatureVerified = false;
              if (SV!=null) {
                try{
                  if (!SV.checkSignature(ac.getToBeSignedByteArray(byteAC), 
                                       (byte[])ac.getSignatureValue().getValue(), 
                                       ac.getSignatureAlgorithm().getAlgorithm().getID(),
                                       soaTokenLocator)) continue;
                }catch(PbaException pe){
                  lastError=lastError==null ? (Exception)pe : (Exception)new issrg.utils.ExceptionPairException(lastError, pe);
                  continue;
                }
              }

              signatureVerified = true;

              policyAttrExists = false;
            
              java.util.Vector attributes = ac.getACInfo().getAttributes();
              for (int j=attributes.size(); j-->0; ){
                issrg.ac.Attribute a = (issrg.ac.Attribute)attributes.get(j);
                if (a.getType().intern() == issrg.ac.attributes.PMIXMLPolicy.PMI_XML_POLICY_ATTRIBUTE_OID){   // a-ha! :-)
                    policyAttrExists = true;
                    correctPolicyOID = false;
                    
                    java.util.Vector values = a.getValues();
                    for (int k=values.size(); k-->0; ){ // looking for the needed Policy there
                        try{
                            issrg.ac.attributes.PMIXMLPolicy pmiPolicy = new issrg.ac.attributes.PMIXMLPolicy((issrg.ac.AttributeValue)values.get(k));
                            pp = new issrg.pba.rbac.xmlpolicy.XMLPolicyParser(removeSystemTag(pmiPolicy.getPolicy()));
                            if (pp.getPolicyID().intern()==policyOID){
                                correctPolicyOID = true;
                                break policy_found;
                            }
                        }catch (Throwable th){
                            lastError=lastError==null ? th : new issrg.utils.ExceptionPairException(lastError, th);
                        }
                    }
                    
                }
                pp=null;
              }
            }

            if (!correctPolicyOID) message = "No valid AC with a pmiXMLPolicy attribute has a policy with OID "+policyOID;
            if (!policyAttrExists) message = "Found no valid AC with a pmiXMLPolicy attribute";
            if (!signatureVerified) message = "Signature verification failed on all self-signed ACs";
            if (!selfSignedExists) message = "Found no self-signed AC (issuer=holder=SOA)";
          }

          if (pp==null){ // then there was some error during processing the bunch of ACs
            throw new PbaException(message, lastError);
          }
        
          this.parsedPolicy=pp;

          // added for MSoD
          if (pp.getMSoDSet() != null)          {
              RetainedADI retainedADI = new RetainedADI(); // to be initialised further by logs 
              sawsServer = new SAWSServer(1); 
		      msodPolicySet = new issrg.pba.rbac.policies.MSoDPolicySet(pp.getMSoDSet(), retainedADI, sawsServer, pp); 
          }

          allocationPolicy=new issrg.pba.rbac.policies.AllocationPolicy(pp.getAssignmentRules());

          //The following was changed for MSoD  ***************************
          if (msodPolicySet == null) 
            accessPolicy = new issrg.pba.rbac.policies.AccessPolicy(pp.getAccessRules());
          else 
            accessPolicy = new issrg.pba.rbac.policies.AccessPolicy(pp.getAccessRules(), msodPolicySet);


        }catch (Throwable th){
            throw new PbaException("Could not initialise", th);
        }
    }
}

⌨️ 快捷键说明

复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?