From 2f029b9cb3ebc11abe28e0b2801bacc40cb584b1 Mon Sep 17 00:00:00 2001 From: wbauer Date: Wed, 3 Sep 2008 15:19:48 +0000 Subject: Just a backup of updated accesscontroller files git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@12 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../accesscontroller/AccessControllerFactory.java | 68 ++++++++++++- .../gv/egiz/bku/accesscontroller/ChainResult.java | 1 + .../bku/accesscontroller/InfoboxRuleChecker.java | 14 +++ .../gv/egiz/bku/accesscontroller/RuleChecker.java | 112 ++++++++++++++++++--- .../gv/egiz/bku/accesscontroller/ConfigTest.java | 17 ++++ .../egiz/bku/accesscontroller/RuleCheckerTest.java | 87 ++++++++++++++++ .../bku/accesscontroller/AccessControlConfig.xml | 78 ++++++++++++++ 7 files changed, 361 insertions(+), 16 deletions(-) create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java create mode 100644 bkucommon/src/test/java/at/gv/egiz/bku/accesscontroller/ConfigTest.java create mode 100644 bkucommon/src/test/java/at/gv/egiz/bku/accesscontroller/RuleCheckerTest.java create mode 100644 bkucommon/src/test/resources/at/gv/egiz/bku/accesscontroller/AccessControlConfig.xml diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java index 9b3e563d..3b75a5f2 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java @@ -1,10 +1,38 @@ package at.gv.egiz.bku.accesscontroller; +import java.io.InputStream; import java.util.Hashtable; +import java.util.List; + +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Unmarshaller; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import at.gv.egiz.bku.accesscontrol.config.AccessControl; +import at.gv.egiz.bku.accesscontrol.config.Chain; +import at.gv.egiz.bku.accesscontrol.config.Command; +import at.gv.egiz.bku.accesscontrol.config.ObjectFactory; +import at.gv.egiz.bku.accesscontrol.config.Rule; +import at.gv.egiz.bku.slcommands.impl.InfoboxReadCommandImpl; +import at.gv.egiz.bku.slexceptions.SLRuntimeException; public class AccessControllerFactory { - private static AccessControllerFactory instance; + private static AccessControllerFactory instance = new AccessControllerFactory(); + private static Log log = LogFactory.getLog(AccessControllerFactory.class); + private static JAXBContext jaxbContext; + + static { + try { + jaxbContext = JAXBContext.newInstance(ObjectFactory.class.getPackage() + .getName()); + } catch (JAXBException e) { + log.fatal("Cannot init jaxbContext", e); + } + } private Hashtable chainTable = new Hashtable(); @@ -35,5 +63,43 @@ public class AccessControllerFactory { public void registerChainChecker(ChainChecker cc) { chainTable.put(cc.getId(), cc); } + + public RuleChecker createRuleChecker(Rule rule) { + RuleChecker rc; + Command cmd = rule.getCommand(); + if (cmd != null) { + if ((cmd.getParam() != null) && (cmd.getParam().size()>0)) { + if (cmd.getName().startsWith("Infobox")) { + rc = new InfoboxRuleChecker(rule.getId()); + } else { + throw new SLRuntimeException("Cannot handle parameters for command "+cmd.getName()); + } + } else { + rc = new RuleChecker(rule.getId()); + } + } else { + rc = new RuleChecker(rule.getId()); + } + // FIXME TODO cont. here + + + return rc; + } + + + public void init(InputStream is) throws JAXBException { + Unmarshaller unmarshaller = jaxbContext.createUnmarshaller(); + AccessControl ac = (AccessControl) unmarshaller.unmarshal(is); + List chainList = ac.getChains().getChain(); + log.debug("Found "+chainList.size()+" chains in config"); + for (Chain chain : chainList) { + List ruleList = chain.getRules().getRule(); + log.debug("Found "+ruleList.size()+" rules in chain "+chain.getId()); + for (Rule rule : ruleList) { + //rule.g + } + } + + } } diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java index a534f4e5..a8fb789e 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java @@ -12,6 +12,7 @@ public class ChainResult { public ChainResult(Action action, UserAction userAction, boolean matchFound) { this.action = action; this.userAction = userAction; + this.matchFound = matchFound; } public Action getAction() { diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java new file mode 100644 index 00000000..2981d24e --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxRuleChecker.java @@ -0,0 +1,14 @@ +package at.gv.egiz.bku.accesscontroller; + +/** + * Adds infobox parameter checks + * @author wbauer + * + */ +public class InfoboxRuleChecker extends RuleChecker { + + public InfoboxRuleChecker(String id) { + super(id); + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java index bf46034d..c59f5b70 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java @@ -1,23 +1,36 @@ package at.gv.egiz.bku.accesscontroller; +import java.net.InetAddress; +import java.net.MalformedURLException; +import java.net.URL; +import java.net.UnknownHostException; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import at.gv.egiz.bku.slcommands.SLCommand; import at.gv.egiz.bku.slexceptions.SLRuntimeException; public class RuleChecker implements AccessChecker { - + private static Log log = LogFactory.getLog(RuleChecker.class); - - public static enum PEER_TYPE {HOST, IP, URL}; + + public static enum PEER_TYPE { + HOST, IP, URL + }; protected String id; protected AuthenticationClass authenticationClass; protected String commandName; + protected Pattern commandNamePattern; protected String peerId; + protected Pattern peerIdPattern; protected PEER_TYPE peerType; protected Action action; protected UserAction userAction; + protected String chainId; public RuleChecker(String id) { if (id == null) { @@ -27,43 +40,112 @@ public class RuleChecker implements AccessChecker { } public void setAuthenticationClass(String ac) { - AuthenticationClass tmp = AuthenticationClass.fromString(ac); + AuthenticationClass tmp = AuthenticationClass.fromString(ac); if (tmp == null) { - throw new SLRuntimeException("Unknown authentication class "+ac); + throw new SLRuntimeException("Unknown authentication class " + ac); } authenticationClass = tmp; } - + public void setAction(String ac) { Action tmp = Action.fromString(ac); if (tmp == null) { - throw new SLRuntimeException("Unknown action "+ac); + throw new SLRuntimeException("Unknown action " + ac); } action = tmp; } - + public void setUserAction(String uac) { - UserAction tmp = UserAction.fromString(uac); + UserAction tmp = UserAction.fromString(uac); if (tmp == null) { - throw new SLRuntimeException("Unknown user action "+uac); + throw new SLRuntimeException("Unknown user action " + uac); } userAction = tmp; } - + + public void setChainId(String chainId) { + this.chainId = chainId; + } + public void setPeerId(String peerId, PEER_TYPE type) { this.peerType = type; this.peerId = peerId; + peerIdPattern = Pattern.compile(peerId); } - + + public void setCommandName(String commandName) { + this.commandName = commandName; + commandNamePattern = Pattern.compile(commandName); + } + public String getId() { return id; } + protected boolean matchAuthenticationClass(AuthenticationClass cls) { + if (this.authenticationClass == null) { + return true; + } + return this.authenticationClass.compareTo(cls) <= 0; + } + + protected boolean matchCommandName(SLCommand cmd) { + if (commandName == null) { + return true; + } + Matcher matcher = commandNamePattern.matcher(cmd.getName()); + return matcher.matches(); + } + + protected boolean matchPeerId(String peerUrl) { + if (peerId == null) { + return true; + } + if (peerType == PEER_TYPE.URL) { + Matcher matcher = peerIdPattern.matcher(peerUrl); + return matcher.matches(); + } else { + try { + URL url = new URL(peerUrl); + if (peerType == PEER_TYPE.HOST) { + try { + String host = url.getHost(); + String hostName = InetAddress.getByName(host).getCanonicalHostName(); + Matcher matcher = peerIdPattern.matcher(hostName); + return matcher.matches(); + } catch (UnknownHostException e) { + log.error("Cannot resolve hostname", e); + return false; + } + } else { + try { + String hostAddr = InetAddress.getByName(url.getHost()) + .getHostAddress(); + Matcher matcher = peerIdPattern.matcher(hostAddr); + return matcher.matches(); + } catch (UnknownHostException e) { + log.error("Cannot resolve host address", e); + return false; + } + } + } catch (MalformedURLException e) { + log.error("Cannot parse url", e); + return false; + } + } + } + @Override public RuleResult check(AccessCheckerContext checkCtx) { - log.debug("Processing rule: "+id); - // TODO Auto-generated method stub - return null; + log.debug("Processing rule: " + id); + if (matchAuthenticationClass(checkCtx.getAuthenticationClass()) + && matchCommandName(checkCtx.getCommand()) + && matchPeerId(checkCtx.getPeerUrl())) { + log.debug("Match found for rule: " + id); + return new RuleResult(action, userAction, true, chainId); + } + log.debug("No match found for rule: " + id); + return new RuleResult(action, userAction, false, chainId); } } diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/accesscontroller/ConfigTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/accesscontroller/ConfigTest.java new file mode 100644 index 00000000..b53db264 --- /dev/null +++ b/bkucommon/src/test/java/at/gv/egiz/bku/accesscontroller/ConfigTest.java @@ -0,0 +1,17 @@ +package at.gv.egiz.bku.accesscontroller; + +import javax.xml.bind.JAXBException; + +import org.junit.Test; + +public class ConfigTest { + + public final static String RESOURCE = "at/gv/egiz/bku/accesscontroller/AccessControlConfig.xml"; + + @Test + public void testUnmarshall() throws JAXBException { + AccessControllerFactory.getInstance().init( + getClass().getClassLoader().getResourceAsStream(RESOURCE)); + } + +} diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/accesscontroller/RuleCheckerTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/accesscontroller/RuleCheckerTest.java new file mode 100644 index 00000000..88f1490c --- /dev/null +++ b/bkucommon/src/test/java/at/gv/egiz/bku/accesscontroller/RuleCheckerTest.java @@ -0,0 +1,87 @@ +package at.gv.egiz.bku.accesscontroller; + +import org.junit.Before; +import org.junit.Test; + +import at.gv.egiz.bku.accesscontroller.RuleChecker.PEER_TYPE; +import at.gv.egiz.bku.slcommands.impl.InfoboxReadCommandImpl; +import at.gv.egiz.bku.slcommands.impl.NullOperationCommandImpl; +import static org.junit.Assert.*; + +public class RuleCheckerTest { + + protected RuleChecker onlyAuthChecker; + protected RuleChecker onlyCmdChecker; + protected RuleChecker onlyPeerChecker; + + @Before + public void setUp() { + onlyAuthChecker = new RuleChecker("OnlyAuthChecker"); + onlyAuthChecker.setAction("allow"); + onlyAuthChecker.setUserAction("none"); + onlyAuthChecker.setAuthenticationClass("pseudoanonymous"); + onlyCmdChecker = new RuleChecker("OnlyCmdChecker"); + onlyCmdChecker.setAction("allow"); + onlyCmdChecker.setCommandName("InfoboxReadRequest"); + onlyPeerChecker = new RuleChecker("OnlyPeerChecker"); + onlyPeerChecker.setAction("allow"); + onlyPeerChecker.setPeerId("https://129.27.142..*", PEER_TYPE.URL); + } + + @Test + public void testAuthClass() { + AccessCheckerContext ctx = new AccessCheckerContext(null, + AuthenticationClass.ANONYMOUS, null); + RuleResult rr = onlyAuthChecker.check(ctx); + assertFalse(rr.matchFound()); + ctx = new AccessCheckerContext(null, AuthenticationClass.PSEUDO_ANONYMOUS, + null); + rr = onlyAuthChecker.check(ctx); + assertTrue(rr.matchFound()); + ctx = new AccessCheckerContext(null, AuthenticationClass.CERTIFIED, null); + rr = onlyAuthChecker.check(ctx); + assertTrue(rr.matchFound()); + } + + @Test + public void testCmd() { + AccessCheckerContext ctx = new AccessCheckerContext( + new InfoboxReadCommandImpl(), null, null); + RuleResult rr = onlyCmdChecker.check(ctx); + assertTrue(rr.matchFound()); + onlyCmdChecker.setCommandName("Info.*"); + rr = onlyCmdChecker.check(ctx); + assertTrue(rr.matchFound()); + ctx = new AccessCheckerContext(new NullOperationCommandImpl(), null, null); + rr = onlyCmdChecker.check(ctx); + assertFalse(rr.matchFound()); + onlyCmdChecker.setCommandName(".*"); + rr = onlyCmdChecker.check(ctx); + assertTrue(rr.matchFound()); + } + + @Test + public void testPeerId() { + AccessCheckerContext ctx = new AccessCheckerContext(null, null, + "https://129.27.142.20:80/index.html"); + RuleResult rr = onlyPeerChecker.check(ctx); + assertTrue(rr.matchFound()); + + ctx = new AccessCheckerContext(null, null, + "https://129.27.14.20:80/index.html"); + rr = onlyPeerChecker.check(ctx); + assertFalse(rr.matchFound()); + + onlyPeerChecker.setPeerId(".*.iaik..*", PEER_TYPE.HOST); + ctx = new AccessCheckerContext(null, null, + "https://129.27.142.20:80/index.html"); + rr = onlyPeerChecker.check(ctx); + assertTrue(rr.matchFound()); + + onlyPeerChecker.setPeerId("129.27.142..*", PEER_TYPE.IP); + ctx = new AccessCheckerContext(null, null, "https://www.iaik.tugraz.at:80/"); + rr = onlyPeerChecker.check(ctx); + assertTrue(rr.matchFound()); + } + +} diff --git a/bkucommon/src/test/resources/at/gv/egiz/bku/accesscontroller/AccessControlConfig.xml b/bkucommon/src/test/resources/at/gv/egiz/bku/accesscontroller/AccessControlConfig.xml new file mode 100644 index 00000000..2455d68d --- /dev/null +++ b/bkucommon/src/test/resources/at/gv/egiz/bku/accesscontroller/AccessControlConfig.xml @@ -0,0 +1,78 @@ + + + + + + + certifiedGovAgency + + + allow + + confirm + + + pseudoanonymous + + + Command + + none + + + anonymous + 127.0.0.1 + + Command + + none + + + anonymous + *.gv.at + + allow + + confirm + + + + + + + certified + + + IdentityLink + * + + + allow + + confirm + + + certified + https://finanzonline.bmf.gv.at/* + + Mandates + * + + + allow + + info + + + certified + + + + allow + + none + + + + + -- cgit v1.2.3