Added skeleton for the access controller classes.

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@8 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4

11 files changed, 384 insertions, 0 deletions

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java
new file mode 100644
index 00000000..81bf1795
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java
@@ -0,0 +1,7 @@
+package at.gv.egiz.bku.accesscontroller;

+

+import at.gv.egiz.bku.slexceptions.SLException;

+

+public interface AccessChecker {

+	public ChainResult check(AccessCheckerContext checkCtx) throws SLException;

+}

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java
new file mode 100644
index 00000000..1206c022
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java
@@ -0,0 +1,27 @@
+package at.gv.egiz.bku.accesscontroller;

+

+import at.gv.egiz.bku.slcommands.SLCommand;

+

+public class AccessCheckerContext {

+	private SLCommand command;

+	private AuthenticationClass authenticationClass;

+	private String peerUrl;

+

+	public AccessCheckerContext(SLCommand cmd, AuthenticationClass ac, String url) {

+		this.command = cmd;

+		this.authenticationClass = ac;

+		this.peerUrl = url;

+	}

+

+	public SLCommand getCommand() {

+		return command;

+	}

+

+	public AuthenticationClass getAuthenticationClass() {

+		return authenticationClass;

+	}

+

+	public String getPeerUrl() {

+		return peerUrl;

+	}

+}

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java
new file mode 100644
index 00000000..9b3e563d
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java
@@ -0,0 +1,39 @@
+package at.gv.egiz.bku.accesscontroller;

+

+import java.util.Hashtable;

+

+public class AccessControllerFactory {

+

+	private static AccessControllerFactory instance;

+

+	private Hashtable<String, ChainChecker> chainTable = new Hashtable<String, ChainChecker>();

+

+	private AccessControllerFactory() {

+	}

+

+	public static AccessControllerFactory getInstance() {

+		return instance;

+	}

+

+	/**

+	 * 

+	 * @param id

+	 * @return null if there is no chain with this id.

+	 */

+	public ChainChecker getChainChecker(String id) {

+		return chainTable.get(id);

+	}

+

+	public ChainChecker createChainChecker(String id, boolean register) {

+		ChainChecker cc = new ChainChecker(id);

+		if (register) {

+			chainTable.put(id, cc);

+		}

+		return cc;

+	}

+

+	public void registerChainChecker(ChainChecker cc) {

+		chainTable.put(cc.getId(), cc);

+	}

+

+}

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java
new file mode 100644
index 00000000..11a22c99
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java
@@ -0,0 +1,19 @@
+package at.gv.egiz.bku.accesscontroller;

+

+public enum Action {

+	ALLOW("allow"), DENY("deny");

+	private String name;

+

+	Action(String name) {

+		this.name = name;

+	}

+

+	public static Action fromString(String s) {

+		for (Action ac : values()) {

+			if (ac.name.equals(s)) {

+				return ac;

+			}

+		}

+		return null;

+	}

+}

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java
new file mode 100644
index 00000000..4d58df78
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java
@@ -0,0 +1,21 @@
+package at.gv.egiz.bku.accesscontroller;

+

+public enum AuthenticationClass {

+	ANONYMOUS("anonymous"), PSEUDO_ANONYMOUS("pseudoanonymous"), CERTIFIED(

+			"certified"), CERTIFIED_GOV_AGENCY("certifiedGovAgency");

+

+	private String name;

+

+	AuthenticationClass(String name) {

+		this.name = name;

+	}

+

+	public static AuthenticationClass fromString(String s) {

+		for (AuthenticationClass ac : values()) {

+			if (ac.name.equals(s)) {

+				return ac;

+			}

+		}

+		return null;

+	}

+}

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java
new file mode 100644
index 00000000..2e856f06
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java
@@ -0,0 +1,63 @@
+package at.gv.egiz.bku.accesscontroller;

+

+import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.ANONYMOUS;

+import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED;

+import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS;

+import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED_GOV_AGENCY;

+

+import java.net.InetAddress;

+import java.net.URL;

+import java.net.UnknownHostException;

+import java.security.cert.X509Certificate;

+

+import org.apache.commons.logging.Log;

+import org.apache.commons.logging.LogFactory;

+

+public class AuthenticationClassifier {

+	private static AuthenticationClassifier instance = new AuthenticationClassifier();

+	private static Log log = LogFactory.getLog(AuthenticationClassifier.class);

+	private final static String GOV_DOMAIN = ".gv.at";

+

+	private AuthenticationClassifier() {

+	}

+

+	/**

+	 * Client Certificates are currently not supported

+	 * 

+	 */

+	protected AuthenticationClass getMyAuthenticationClass(boolean isDataUrl,

+			URL url, X509Certificate cert) {

+		if (isDataUrl) {

+			if (url.getProtocol().equalsIgnoreCase("https")) {

+				try {

+					if (InetAddress.getByName(url.getHost()).getCanonicalHostName()

+							.endsWith(GOV_DOMAIN)) {

+						return CERTIFIED_GOV_AGENCY;

+					}

+				} catch (UnknownHostException e) {

+					log.error("Cannot determine host name", e);

+				}

+				if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {

+					return CERTIFIED_GOV_AGENCY;

+				}

+				return CERTIFIED;

+			} else {

+				return PSEUDO_ANONYMOUS;

+			}

+		} else {

+			return ANONYMOUS;

+		}

+	}

+

+	/**

+	 * 

+	 * @param isDataUrl

+	 * @param url if the url's protocol is https a cert parameter must be provided.

+	 * @param cert

+	 * @return

+	 */

+	public static AuthenticationClass getAuthenticationClass(boolean isDataUrl,

+			URL url, X509Certificate cert) {

+		return instance.getMyAuthenticationClass(isDataUrl, url, cert);

+	}

+}

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java
new file mode 100644
index 00000000..242d9b02
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java
@@ -0,0 +1,71 @@
+package at.gv.egiz.bku.accesscontroller;

+

+import java.util.LinkedList;

+import java.util.List;

+

+import org.apache.commons.logging.Log;

+import org.apache.commons.logging.LogFactory;

+

+import at.gv.egiz.bku.slexceptions.SLException;

+

+public class ChainChecker implements AccessChecker {

+	private static Log log = LogFactory.getLog(ChainChecker.class);

+	

+	private String id;

+	private List<RuleChecker> rules = new LinkedList<RuleChecker>();

+	

+	/**

+	 * 

+	 * @param id must not be null

+	 */

+	public ChainChecker(String id) {

+		if (id == null) {

+			throw new NullPointerException("Id argument must not be null");

+		}

+		this.id = id;

+	}

+	

+

+	public String getId() {

+		return id;

+	}

+

+	public void addRule(RuleChecker rule) {

+		if (rule != null) {

+			rules.add(rule);

+		}

+	}

+

+	@Override

+	public ChainResult check(AccessCheckerContext checkCtx) throws SLException {

+		log.debug("Processing chain: "+id);

+		for (RuleChecker rule : rules) {

+			log.trace("Checking rule: "+rule.getId());

+			RuleResult result = rule.check(checkCtx);

+			if (result.matchFound()) {

+				log.debug("Found matching rule: "+rule.getId());

+				if (result.getDelegateChainId() != null) {

+					// process chain

+					ChainChecker cc = AccessControllerFactory.getInstance().getChainChecker(result.getDelegateChainId());

+					if (cc == null) {

+						log.error("Cannot delegate to chain. Unknown chain id: "+result.getDelegateChainId());

+						throw new SLException(4000);

+					}

+					ChainResult cr = cc.check(checkCtx);

+					if (cr.matchFound()) {

+						return cr;

+					}

+					// if chain does not contain matching rule

+					// cont. here.		

+					} else {

+						return result;

+					}

+			}

+		}

+		log.debug("Did not find a matching rule here");

+		return new ChainResult(null, null, false);

+	}

+

+	

+	

+}

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java
new file mode 100644
index 00000000..a534f4e5
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java
@@ -0,0 +1,32 @@
+package at.gv.egiz.bku.accesscontroller;

+

+/**

+ * Result of the access controller

+ * 

+ */

+public class ChainResult {

+	private UserAction userAction;

+	private Action action;

+	private boolean matchFound;

+

+	public ChainResult(Action action, UserAction userAction, boolean matchFound) {

+		this.action = action;

+		this.userAction = userAction;

+	}

+	

+	public Action getAction() {

+		return action;

+	}

+

+	public UserAction getUserAction() {

+		return userAction;

+	}

+	

+	/**

+	 * 

+	 * @return true if a matching rule has been found

+	 */

+	public boolean matchFound() {

+		return matchFound;

+	}

+}

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java
new file mode 100644
index 00000000..bf46034d
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java
@@ -0,0 +1,69 @@
+package at.gv.egiz.bku.accesscontroller;

+

+import org.apache.commons.logging.Log;

+import org.apache.commons.logging.LogFactory;

+

+import at.gv.egiz.bku.slexceptions.SLRuntimeException;

+

+public class RuleChecker implements AccessChecker {

+	

+	private static Log log = LogFactory.getLog(RuleChecker.class);

+	

+	public static enum PEER_TYPE {HOST, IP, URL};

+

+	protected String id;

+	protected AuthenticationClass authenticationClass;

+	protected String commandName;

+	protected String peerId;

+	protected PEER_TYPE peerType;

+	protected Action action;

+	protected UserAction userAction;

+

+	public RuleChecker(String id) {

+		if (id == null) {

+			throw new NullPointerException("Id argument must not be null");

+		}

+		this.id = id;

+	}

+

+	public void setAuthenticationClass(String ac) {

+		AuthenticationClass tmp = AuthenticationClass.fromString(ac); 

+		if (tmp == null) {

+			throw new SLRuntimeException("Unknown authentication class "+ac);

+		}

+		authenticationClass = tmp;

+	}

+	

+	public void setAction(String ac) {

+		Action tmp = Action.fromString(ac);

+		if (tmp == null) {

+			throw new SLRuntimeException("Unknown action "+ac);

+		}

+		action = tmp;

+	}

+	

+	public void setUserAction(String uac) {

+		 UserAction tmp = UserAction.fromString(uac);

+		if (tmp == null) {

+			throw new SLRuntimeException("Unknown user action "+uac);

+		}

+		userAction = tmp;

+	}

+	

+	public void setPeerId(String peerId, PEER_TYPE type) {

+		this.peerType = type;

+		this.peerId = peerId;

+	}

+	

+	public String getId() {

+		return id;

+	}

+

+	@Override

+	public RuleResult check(AccessCheckerContext checkCtx) {

+		log.debug("Processing rule: "+id);

+		// TODO Auto-generated method stub

+		return null;

+	}

+

+}

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java
new file mode 100644
index 00000000..26f42db0
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java
@@ -0,0 +1,16 @@
+package at.gv.egiz.bku.accesscontroller;

+

+

+public class RuleResult extends ChainResult {

+	private String chainId;

+	

+	public RuleResult(Action action, UserAction userAction, boolean matchFound, String chainId) {

+		super(action, userAction, matchFound);

+		this.chainId = chainId;

+	}

+

+	public String getDelegateChainId() {

+		return chainId;

+	}

+

+}

diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java
new file mode 100644
index 00000000..307ec1e5
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java
@@ -0,0 +1,20 @@
+package at.gv.egiz.bku.accesscontroller;

+

+public enum UserAction {

+	NONE("none"), INFO("info"), CONFIRM("confirm"), CONFIRM_WITH_SECRET("confirmWithSecret");

+	

+	private String name;

+

+	UserAction(String name) {

+		this.name = name;

+	}

+

+	public static UserAction fromString(String s) {

+		for (UserAction ac : values()) {

+			if (ac.name.equals(s)) {

+				return ac;

+			}

+		}

+		return null;

+	}

+}