simpleaclaccessservice.java

JXTA&#8482 is a set of open, generalized peer-to-peer (P2P) protocols that allow any networked devi

/*
 * Copyright (c) 2003-2007 Sun Microsystems, Inc.  All rights reserved.
 *  
 *  The Sun Project JXTA(TM) Software License
 *  
 *  Redistribution and use in source and binary forms, with or without 
 *  modification, are permitted provided that the following conditions are met:
 *  
 *  1. Redistributions of source code must retain the above copyright notice,
 *     this list of conditions and the following disclaimer.
 *  
 *  2. Redistributions in binary form must reproduce the above copyright notice, 
 *     this list of conditions and the following disclaimer in the documentation 
 *     and/or other materials provided with the distribution.
 *  
 *  3. The end-user documentation included with the redistribution, if any, must 
 *     include the following acknowledgment: "This product includes software 
 *     developed by Sun Microsystems, Inc. for JXTA(TM) technology." 
 *     Alternately, this acknowledgment may appear in the software itself, if 
 *     and wherever such third-party acknowledgments normally appear.
 *  
 *  4. The names "Sun", "Sun Microsystems, Inc.", "JXTA" and "Project JXTA" must 
 *     not be used to endorse or promote products derived from this software 
 *     without prior written permission. For written permission, please contact 
 *     Project JXTA at http://www.jxta.org.
 *  
 *  5. Products derived from this software may not be called "JXTA", nor may 
 *     "JXTA" appear in their name, without prior written permission of Sun.
 *  
 *  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
 *  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 
 *  FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SUN 
 *  MICROSYSTEMS OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 
 *  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 
 *  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, 
 *  OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 
 *  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 
 *  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 
 *  EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *  
 *  JXTA is a registered trademark of Sun Microsystems, Inc. in the United 
 *  States and other countries.
 *  
 *  Please see the license information page at :
 *  <http://www.jxta.org/project/www/license.html> for instructions on use of 
 *  the license in source files.
 *  
 *  ====================================================================
 *  
 *  This software consists of voluntary contributions made by many individuals 
 *  on behalf of Project JXTA. For more information on Project JXTA, please see 
 *  http://www.jxta.org.
 *  
 *  This license is based on the BSD license adopted by the Apache Foundation. 
 */

package net.jxta.impl.access.simpleACL;


import java.net.URI;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;

import java.net.URISyntaxException;

import java.util.logging.Logger;
import java.util.logging.Level;
import net.jxta.logging.Logging;

import net.jxta.access.AccessService;
import net.jxta.credential.Credential;
import net.jxta.credential.PrivilegedOperation;
import net.jxta.document.Advertisement;
import net.jxta.document.Attributable;
import net.jxta.document.Attribute;
import net.jxta.document.Element;
import net.jxta.document.MimeMediaType;
import net.jxta.document.StructuredDocument;
import net.jxta.document.StructuredDocumentFactory;
import net.jxta.document.StructuredDocumentUtils;
import net.jxta.document.TextElement;
import net.jxta.exception.PeerGroupException;
import net.jxta.exception.JxtaError;
import net.jxta.id.ID;
import net.jxta.id.IDFactory;
import net.jxta.peergroup.PeerGroup;
import net.jxta.platform.ModuleSpecID;
import net.jxta.protocol.ModuleImplAdvertisement;
import net.jxta.protocol.PeerGroupAdvertisement;
import net.jxta.service.Service;


/**
 * Implements the {@link net.jxta.access.AccessService} using a simple ACL
 * scheme.
 *
 * <p/>The ACL table is read from the group advertisement. Each
 * <code>perm</code> entry of the Access Service parameters in the group adv is
 * assumed to be a permission in the following format:
 *
 * <p/><pre>
 *    &lt;operation> ":" ( &lt;identity> )* ( "," &lt;identity> )*
 * </pre>
 *
 * <p/>A sample ACL table extracted from a PeerGroupAdvertisement:
 *
 * <p/><pre>
 * ...
 * &lt;Svc>
 *   &lt;MCID>urn:jxta:uuid-DEADBEEFDEAFBABAFEEDBABE0000001005&lt;/MCID>
 *   &lt;Parm>
 *     &lt;perm>&amp;lt;&amp;lt;DEFAULT>>:nobody,permit&lt;/perm>
 *     &lt;perm>everyone:&amp;lt;&amp;lt;ALL>>&lt;/perm>
 *     &lt;perm>permit:nobody,permit,allow&lt;/perm>
 *     &lt;perm>deny:notpermit,notallow&lt;/perm>
 *   &lt;/Parm>
 * &lt;/Svc>
 * ...
 * </pre>
 *
 * <p/>If <code>&lt;&lt;ALL>></code> is provided as an identity then the
 * operation is permitted for all valid credentials.
 *
 * <p/>if <code>&lt;&lt;DEFAULT>></code> is provided as an operation then the
 * provided identities will be allowed for all operations which are not
 * recognized.
 *
 * <p/><strong>This implementation makes <em>no effort</em> to ensure that the
 * permission table has not been altered. It is <em>not appropriate</em> for use
 * in security sensitive deployments unless the integrity of the group
 * advertisement is ensured.</strong>
 *
 * @see net.jxta.access.AccessService
 **/
public class SimpleACLAccessService implements AccessService {
    
    /**
     *  Logger.
     **/
    private final static Logger LOG = Logger.getLogger(SimpleACLAccessService.class.getName());
    
    /**
     * Well known access specification identifier: the simple ACL access service
     **/
    public static final ModuleSpecID simpleACLAccessSpecID = (ModuleSpecID)
            ID.create(URI.create("urn:jxta:uuid-DeadBeefDeafBabaFeedBabe000000100206"));
    
    /**
     *  Operation for the Always Access Service.
     **/
    private static class SimpleACLOperation implements PrivilegedOperation {
        
        SimpleACLAccessService source;
        
        String op;
        
        Credential offerer;
        
        protected SimpleACLOperation(SimpleACLAccessService source, String op, Credential offerer) {
            this.source = source;
            this.op = op;
            this.offerer = offerer;
        }
        
        protected SimpleACLOperation(SimpleACLAccessService source, Element root) {
            this.source = source;
            initialize(root);
        }
        
        /**
         * {@inheritDoc}
         **/
        public ID getPeerGroupID() {
            return source.getPeerGroup().getPeerGroupID();
        }
        
        /**
         * {@inheritDoc}
         **/
        public ID getPeerID() {
            return null;
        }
        
        /**
         * {@inheritDoc}
         *
         * <p/>AlwaysOperation are always valid.
         **/
        public boolean isExpired() {
            return false;
        }
        
        /**
         * {@inheritDoc}
         *
         * <p/>AlwaysOperation are always valid.
         **/
        public boolean isValid() {
            return true;
        }
        
        /**
         * {@inheritDoc}
         **/
        public String getSubject() {
            return op;
        }
        
        /**
         * {@inheritDoc}
         **/
        public Service getSourceService() {
            return source;
        }
        
        /**
         * {@inheritDoc}
         **/
        public StructuredDocument getDocument(MimeMediaType as) throws Exception {
            StructuredDocument doc = StructuredDocumentFactory.newStructuredDocument(as, "jxta:Cred");
            
            if (doc instanceof Attributable) {
                ((Attributable) doc).addAttribute("xmlns:jxta", "http://jxta.org");
                ((Attributable) doc).addAttribute("xml:space", "preserve");
                ((Attributable) doc).addAttribute("type", "jxta:SimpleACLOp");
            }
            
            Element e = doc.createElement("PeerGroupID", getPeerGroupID().toString());

            doc.appendChild(e);
            
            e = doc.createElement("Operation", op);
            doc.appendChild(e);
            
            StructuredDocumentUtils.copyElements(doc, doc, offerer.getDocument(as), "Offerer");
            
            return doc;
        }
        
        /**
         * {@inheritDoc}
         **/
        public Credential getOfferer() {
            return offerer;
        }
        
        /**
         *  Process an individual element from the document.
         *
         *  @param elem the element to be processed.
         *  @return true if the element was recognized, otherwise false.
         **/
        protected boolean handleElement(TextElement elem) {
            if (elem.getName().equals("PeerGroupID")) {
                try {
                    URI gID = new URI(elem.getTextValue().trim());
                    ID pgid = IDFactory.fromURI(gID);

                    if (!pgid.equals(getPeerGroupID())) {