summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java7
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java27
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java39
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java19
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java21
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java63
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java71
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java32
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java69
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java16
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java20
11 files changed, 384 insertions, 0 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java
new file mode 100644
index 00000000..81bf1795
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java
@@ -0,0 +1,7 @@
+package at.gv.egiz.bku.accesscontroller;
+
+import at.gv.egiz.bku.slexceptions.SLException;
+
+public interface AccessChecker {
+ public ChainResult check(AccessCheckerContext checkCtx) throws SLException;
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java
new file mode 100644
index 00000000..1206c022
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java
@@ -0,0 +1,27 @@
+package at.gv.egiz.bku.accesscontroller;
+
+import at.gv.egiz.bku.slcommands.SLCommand;
+
+public class AccessCheckerContext {
+ private SLCommand command;
+ private AuthenticationClass authenticationClass;
+ private String peerUrl;
+
+ public AccessCheckerContext(SLCommand cmd, AuthenticationClass ac, String url) {
+ this.command = cmd;
+ this.authenticationClass = ac;
+ this.peerUrl = url;
+ }
+
+ public SLCommand getCommand() {
+ return command;
+ }
+
+ public AuthenticationClass getAuthenticationClass() {
+ return authenticationClass;
+ }
+
+ public String getPeerUrl() {
+ return peerUrl;
+ }
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java
new file mode 100644
index 00000000..9b3e563d
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java
@@ -0,0 +1,39 @@
+package at.gv.egiz.bku.accesscontroller;
+
+import java.util.Hashtable;
+
+public class AccessControllerFactory {
+
+ private static AccessControllerFactory instance;
+
+ private Hashtable<String, ChainChecker> chainTable = new Hashtable<String, ChainChecker>();
+
+ private AccessControllerFactory() {
+ }
+
+ public static AccessControllerFactory getInstance() {
+ return instance;
+ }
+
+ /**
+ *
+ * @param id
+ * @return null if there is no chain with this id.
+ */
+ public ChainChecker getChainChecker(String id) {
+ return chainTable.get(id);
+ }
+
+ public ChainChecker createChainChecker(String id, boolean register) {
+ ChainChecker cc = new ChainChecker(id);
+ if (register) {
+ chainTable.put(id, cc);
+ }
+ return cc;
+ }
+
+ public void registerChainChecker(ChainChecker cc) {
+ chainTable.put(cc.getId(), cc);
+ }
+
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java
new file mode 100644
index 00000000..11a22c99
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java
@@ -0,0 +1,19 @@
+package at.gv.egiz.bku.accesscontroller;
+
+public enum Action {
+ ALLOW("allow"), DENY("deny");
+ private String name;
+
+ Action(String name) {
+ this.name = name;
+ }
+
+ public static Action fromString(String s) {
+ for (Action ac : values()) {
+ if (ac.name.equals(s)) {
+ return ac;
+ }
+ }
+ return null;
+ }
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java
new file mode 100644
index 00000000..4d58df78
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java
@@ -0,0 +1,21 @@
+package at.gv.egiz.bku.accesscontroller;
+
+public enum AuthenticationClass {
+ ANONYMOUS("anonymous"), PSEUDO_ANONYMOUS("pseudoanonymous"), CERTIFIED(
+ "certified"), CERTIFIED_GOV_AGENCY("certifiedGovAgency");
+
+ private String name;
+
+ AuthenticationClass(String name) {
+ this.name = name;
+ }
+
+ public static AuthenticationClass fromString(String s) {
+ for (AuthenticationClass ac : values()) {
+ if (ac.name.equals(s)) {
+ return ac;
+ }
+ }
+ return null;
+ }
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java
new file mode 100644
index 00000000..2e856f06
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java
@@ -0,0 +1,63 @@
+package at.gv.egiz.bku.accesscontroller;
+
+import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.ANONYMOUS;
+import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED;
+import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS;
+import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED_GOV_AGENCY;
+
+import java.net.InetAddress;
+import java.net.URL;
+import java.net.UnknownHostException;
+import java.security.cert.X509Certificate;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+public class AuthenticationClassifier {
+ private static AuthenticationClassifier instance = new AuthenticationClassifier();
+ private static Log log = LogFactory.getLog(AuthenticationClassifier.class);
+ private final static String GOV_DOMAIN = ".gv.at";
+
+ private AuthenticationClassifier() {
+ }
+
+ /**
+ * Client Certificates are currently not supported
+ *
+ */
+ protected AuthenticationClass getMyAuthenticationClass(boolean isDataUrl,
+ URL url, X509Certificate cert) {
+ if (isDataUrl) {
+ if (url.getProtocol().equalsIgnoreCase("https")) {
+ try {
+ if (InetAddress.getByName(url.getHost()).getCanonicalHostName()
+ .endsWith(GOV_DOMAIN)) {
+ return CERTIFIED_GOV_AGENCY;
+ }
+ } catch (UnknownHostException e) {
+ log.error("Cannot determine host name", e);
+ }
+ if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) {
+ return CERTIFIED_GOV_AGENCY;
+ }
+ return CERTIFIED;
+ } else {
+ return PSEUDO_ANONYMOUS;
+ }
+ } else {
+ return ANONYMOUS;
+ }
+ }
+
+ /**
+ *
+ * @param isDataUrl
+ * @param url if the url's protocol is https a cert parameter must be provided.
+ * @param cert
+ * @return
+ */
+ public static AuthenticationClass getAuthenticationClass(boolean isDataUrl,
+ URL url, X509Certificate cert) {
+ return instance.getMyAuthenticationClass(isDataUrl, url, cert);
+ }
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java
new file mode 100644
index 00000000..242d9b02
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java
@@ -0,0 +1,71 @@
+package at.gv.egiz.bku.accesscontroller;
+
+import java.util.LinkedList;
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import at.gv.egiz.bku.slexceptions.SLException;
+
+public class ChainChecker implements AccessChecker {
+ private static Log log = LogFactory.getLog(ChainChecker.class);
+
+ private String id;
+ private List<RuleChecker> rules = new LinkedList<RuleChecker>();
+
+ /**
+ *
+ * @param id must not be null
+ */
+ public ChainChecker(String id) {
+ if (id == null) {
+ throw new NullPointerException("Id argument must not be null");
+ }
+ this.id = id;
+ }
+
+
+ public String getId() {
+ return id;
+ }
+
+ public void addRule(RuleChecker rule) {
+ if (rule != null) {
+ rules.add(rule);
+ }
+ }
+
+ @Override
+ public ChainResult check(AccessCheckerContext checkCtx) throws SLException {
+ log.debug("Processing chain: "+id);
+ for (RuleChecker rule : rules) {
+ log.trace("Checking rule: "+rule.getId());
+ RuleResult result = rule.check(checkCtx);
+ if (result.matchFound()) {
+ log.debug("Found matching rule: "+rule.getId());
+ if (result.getDelegateChainId() != null) {
+ // process chain
+ ChainChecker cc = AccessControllerFactory.getInstance().getChainChecker(result.getDelegateChainId());
+ if (cc == null) {
+ log.error("Cannot delegate to chain. Unknown chain id: "+result.getDelegateChainId());
+ throw new SLException(4000);
+ }
+ ChainResult cr = cc.check(checkCtx);
+ if (cr.matchFound()) {
+ return cr;
+ }
+ // if chain does not contain matching rule
+ // cont. here.
+ } else {
+ return result;
+ }
+ }
+ }
+ log.debug("Did not find a matching rule here");
+ return new ChainResult(null, null, false);
+ }
+
+
+
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java
new file mode 100644
index 00000000..a534f4e5
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java
@@ -0,0 +1,32 @@
+package at.gv.egiz.bku.accesscontroller;
+
+/**
+ * Result of the access controller
+ *
+ */
+public class ChainResult {
+ private UserAction userAction;
+ private Action action;
+ private boolean matchFound;
+
+ public ChainResult(Action action, UserAction userAction, boolean matchFound) {
+ this.action = action;
+ this.userAction = userAction;
+ }
+
+ public Action getAction() {
+ return action;
+ }
+
+ public UserAction getUserAction() {
+ return userAction;
+ }
+
+ /**
+ *
+ * @return true if a matching rule has been found
+ */
+ public boolean matchFound() {
+ return matchFound;
+ }
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java
new file mode 100644
index 00000000..bf46034d
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java
@@ -0,0 +1,69 @@
+package at.gv.egiz.bku.accesscontroller;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import at.gv.egiz.bku.slexceptions.SLRuntimeException;
+
+public class RuleChecker implements AccessChecker {
+
+ private static Log log = LogFactory.getLog(RuleChecker.class);
+
+ public static enum PEER_TYPE {HOST, IP, URL};
+
+ protected String id;
+ protected AuthenticationClass authenticationClass;
+ protected String commandName;
+ protected String peerId;
+ protected PEER_TYPE peerType;
+ protected Action action;
+ protected UserAction userAction;
+
+ public RuleChecker(String id) {
+ if (id == null) {
+ throw new NullPointerException("Id argument must not be null");
+ }
+ this.id = id;
+ }
+
+ public void setAuthenticationClass(String ac) {
+ AuthenticationClass tmp = AuthenticationClass.fromString(ac);
+ if (tmp == null) {
+ throw new SLRuntimeException("Unknown authentication class "+ac);
+ }
+ authenticationClass = tmp;
+ }
+
+ public void setAction(String ac) {
+ Action tmp = Action.fromString(ac);
+ if (tmp == null) {
+ throw new SLRuntimeException("Unknown action "+ac);
+ }
+ action = tmp;
+ }
+
+ public void setUserAction(String uac) {
+ UserAction tmp = UserAction.fromString(uac);
+ if (tmp == null) {
+ throw new SLRuntimeException("Unknown user action "+uac);
+ }
+ userAction = tmp;
+ }
+
+ public void setPeerId(String peerId, PEER_TYPE type) {
+ this.peerType = type;
+ this.peerId = peerId;
+ }
+
+ public String getId() {
+ return id;
+ }
+
+ @Override
+ public RuleResult check(AccessCheckerContext checkCtx) {
+ log.debug("Processing rule: "+id);
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java
new file mode 100644
index 00000000..26f42db0
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java
@@ -0,0 +1,16 @@
+package at.gv.egiz.bku.accesscontroller;
+
+
+public class RuleResult extends ChainResult {
+ private String chainId;
+
+ public RuleResult(Action action, UserAction userAction, boolean matchFound, String chainId) {
+ super(action, userAction, matchFound);
+ this.chainId = chainId;
+ }
+
+ public String getDelegateChainId() {
+ return chainId;
+ }
+
+}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java
new file mode 100644
index 00000000..307ec1e5
--- /dev/null
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java
@@ -0,0 +1,20 @@
+package at.gv.egiz.bku.accesscontroller;
+
+public enum UserAction {
+ NONE("none"), INFO("info"), CONFIRM("confirm"), CONFIRM_WITH_SECRET("confirmWithSecret");
+
+ private String name;
+
+ UserAction(String name) {
+ this.name = name;
+ }
+
+ public static UserAction fromString(String s) {
+ for (UserAction ac : values()) {
+ if (ac.name.equals(s)) {
+ return ac;
+ }
+ }
+ return null;
+ }
+}