📄 rolebasedacparser.java
字号:
/*
* Copyright (c) 2000-2005, University of Salford
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* Neither the name of the University of Salford nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
package issrg.pba.rbac.x509;
import issrg.ac.Extension;
import issrg.ac.attributes.BasicAttConstraint;
import issrg.ac.attributes.AttributeAuthorityInformationAccess;
import issrg.ac.attributes.NoAssertion;
import issrg.pba.ParsedToken;
import issrg.pba.DefaultParsedToken;
import issrg.pba.DefaultDelegatableToken;
import issrg.pba.rbac.LDAPDNPrincipal;
import issrg.pba.rbac.SignatureVerifier;
import issrg.pba.rbac.policies.Subtree;
import issrg.pba.rbac.policies.DITSubtree;
import issrg.pba.rbac.x509.ACUserEntry;
import issrg.utils.repository.TokenLocator;
import issrg.utils.repository.Entry;
import issrg.pba.repository.EntryLocator;
import issrg.pba.rbac.policies.SimpleEntry;
import issrg.pba.rbac.PermisRBAC;
import issrg.utils.repository.AttributeRepository;
import java.security.Principal;
import java.util.Vector;
/**
* This is the implementation of the AuthTokenParser that extracts Roles from
* the Attribute Certificates as defined by the Policy.
*
* <p>This is the default AuthTokenParser used by PERMIS, when X.509 flavour is
* configured in using issrg.pba.rbac.CustomisePERMIS.configureX509Flavour
* method.
*
* @author A Otenko
* @version 1.0
*/
public class RoleBasedACParser implements issrg.pba.rbac.RoleBasedAuthTokenParser {
/**
* This is the default constructor. If you instantiate the RoleBasedACParser
* using this constructor, the code will fail to decode any Attribute
* Certificates until the Role Hierarchy is set by setRoleHierarchy method.
*/
public RoleBasedACParser(){}
issrg.pba.rbac.RoleHierarchyPolicy roleHierarchy = null;
private static final issrg.pba.Credentials NullCreds=new issrg.pba.rbac.SetOfSubsetsCredentials();
private SignatureVerifier SV = null;
/**
* The constructor uses the Role Hierarchy policy and the Signature
* Verifier to subsequently decode the Attribute Certificates. If Signature
* Verifier is specified, it will be used to validate digital signatures on
* the ACs; otherwise signature verification will be ignored (e.g. for
* testing purposes - not recommended for real life deployments).
*
* @param rhpn is the RoleHierarchyPolicy used to decode the role values in
* the Attribute Certificates; can't be null
* @param signatureVerifier will be used to validate digital signatures;
* if null, no signature verification will be performed (NOT RECOMMENDED
* FOR REAL DEPLOYMENT AS INSECURE!)
*/
public RoleBasedACParser(issrg.pba.rbac.RoleHierarchyPolicy rhpn, SignatureVerifier signatureVerifier ) {
setRoleHierarchy(rhpn);
setSignatureVerifier(signatureVerifier);
}
/**
* The constructor takes the Map of Assignment Rules, as returned by the
* PolicyParser and the Signature Verifier, which can be null.
* The Map of Assignment Rules must contain a RoleHierarchyPolicy under
* the key
* issrg.pba.rbac.RoleHierarchyPolicy.class.
*
* @param m is the map of assignment rules to use
* @param signatureVerifier will be used to validate digital signatures;
* if null, no signature verification will be performed (NOT RECOMMENDED
* FOR REAL DEPLOYMENT AS INSECURE!)
*/
public RoleBasedACParser(java.util.Map m, SignatureVerifier signatureVerifier){
setAuthTokenParsingRules(m);
setSignatureVerifier(signatureVerifier);
}
/**
* This method returns the Authorisation Token Parsing Rules, as a Map with
* a single entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class and
* the value being the RoleHierarchyPolicy used by this RoleBasedACParser.
*
* @return Map of rules; this implementation fills a single entry with the
* key issrg.pba.rbac.RoleHierarchyPolicy.class and the value being the
* RoleHierarchyPolicy; if the RoleHierarchyPolicy has not been set,
* the Map does not contain any entries
*/
public java.util.Map getAuthTokenParsingRules(){
java.util.Map m = new java.util.Hashtable();
if (roleHierarchy!=null) m.put(issrg.pba.rbac.RoleHierarchyPolicy.class, roleHierarchy);
return m;
}
/**
* This method sets the SignatureVerifier to be used to validate the X.509
* Attribute Certificates.
*
* @param signatureVerifier is the SignatureVerifier used to validate the
* ACs; if null, no signature verification will be performed (SHOULD NOT
* BE USED IN PRODUCTION SCENARIOS!)
*/
public void setSignatureVerifier(SignatureVerifier signatureVerifier){
this.SV = signatureVerifier;
}
/**
* This method returns the SignatureVerifier used by this RoleBasedACParser.
*
* @return SignatureVerifier used by this RoleBasedACParser, or null, if
* no signature verification is being performed.
*/
public SignatureVerifier getSignatureVerifier(){
return SV;
}
/**
* This method sets the Authorisation Token Parsing Rules. It should
* contain a issrg.pba.rbac.RoleHierarchyPolicy in the entry
* with the key issrg.pba.rbac.RoleHierarchyPolicy.class.
*
* @param m - the Map of rules with a RoleHierarchyPolicy inside
*/
public void setAuthTokenParsingRules(java.util.Map m){
setRoleHierarchy((issrg.pba.rbac.RoleHierarchyPolicy) m.get(issrg.pba.rbac.RoleHierarchyPolicy.class));
}
/**
* This method sets the Authorisation Token Parsing Rules by directly
* specifying the Role Hierarchy to be used.
*
* @param rhpn - the RoleHierarchyPolicy to be used; if null, decoding the
* ACs will always fail
*/
public void setRoleHierarchy(issrg.pba.rbac.RoleHierarchyPolicy rhpn){
//System.out.println("got parsing rules: "+rhpn);//*********
//System.out.println("the rules: "+rhpn);//*********
roleHierarchy = rhpn;
}
/**
* This method decodes a given Attribute Certificate. The Object is a byte
* array of the
* BER-encoded X.509 Attribute Certificate
*
* <p>First it is seen if the Authorisation Token is an X.509 Attribute
* Certificate. If there is no SignatureVerifier provided,
* the next stage is skipped; otherwise the digital signature on it is
* verified using the
* Signature Verifier provided at construction time or by calling the
* setSignatureVerifier method. If this fails, a
* SignatureVerificationFailedException is thrown with the would-be-valid
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -