From 03d4206918ca3db9554e78bf8070a11503f083d9 Mon Sep 17 00:00:00 2001 From: wbauer Date: Wed, 3 Sep 2008 12:59:26 +0000 Subject: Added skeleton for the access controller classes. git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@8 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../egiz/bku/accesscontroller/AccessChecker.java | 7 +++ .../bku/accesscontroller/AccessCheckerContext.java | 27 ++++++++ .../accesscontroller/AccessControllerFactory.java | 39 ++++++++++++ .../at/gv/egiz/bku/accesscontroller/Action.java | 19 ++++++ .../bku/accesscontroller/AuthenticationClass.java | 21 +++++++ .../accesscontroller/AuthenticationClassifier.java | 63 +++++++++++++++++++ .../gv/egiz/bku/accesscontroller/ChainChecker.java | 71 ++++++++++++++++++++++ .../gv/egiz/bku/accesscontroller/ChainResult.java | 32 ++++++++++ .../gv/egiz/bku/accesscontroller/RuleChecker.java | 69 +++++++++++++++++++++ .../gv/egiz/bku/accesscontroller/RuleResult.java | 16 +++++ .../gv/egiz/bku/accesscontroller/UserAction.java | 20 ++++++ 11 files changed, 384 insertions(+) create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java create mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java (limited to 'bkucommon/src/main') diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java new file mode 100644 index 00000000..81bf1795 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java @@ -0,0 +1,7 @@ +package at.gv.egiz.bku.accesscontroller; + +import at.gv.egiz.bku.slexceptions.SLException; + +public interface AccessChecker { + public ChainResult check(AccessCheckerContext checkCtx) throws SLException; +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java new file mode 100644 index 00000000..1206c022 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java @@ -0,0 +1,27 @@ +package at.gv.egiz.bku.accesscontroller; + +import at.gv.egiz.bku.slcommands.SLCommand; + +public class AccessCheckerContext { + private SLCommand command; + private AuthenticationClass authenticationClass; + private String peerUrl; + + public AccessCheckerContext(SLCommand cmd, AuthenticationClass ac, String url) { + this.command = cmd; + this.authenticationClass = ac; + this.peerUrl = url; + } + + public SLCommand getCommand() { + return command; + } + + public AuthenticationClass getAuthenticationClass() { + return authenticationClass; + } + + public String getPeerUrl() { + return peerUrl; + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java new file mode 100644 index 00000000..9b3e563d --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java @@ -0,0 +1,39 @@ +package at.gv.egiz.bku.accesscontroller; + +import java.util.Hashtable; + +public class AccessControllerFactory { + + private static AccessControllerFactory instance; + + private Hashtable chainTable = new Hashtable(); + + private AccessControllerFactory() { + } + + public static AccessControllerFactory getInstance() { + return instance; + } + + /** + * + * @param id + * @return null if there is no chain with this id. + */ + public ChainChecker getChainChecker(String id) { + return chainTable.get(id); + } + + public ChainChecker createChainChecker(String id, boolean register) { + ChainChecker cc = new ChainChecker(id); + if (register) { + chainTable.put(id, cc); + } + return cc; + } + + public void registerChainChecker(ChainChecker cc) { + chainTable.put(cc.getId(), cc); + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java new file mode 100644 index 00000000..11a22c99 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java @@ -0,0 +1,19 @@ +package at.gv.egiz.bku.accesscontroller; + +public enum Action { + ALLOW("allow"), DENY("deny"); + private String name; + + Action(String name) { + this.name = name; + } + + public static Action fromString(String s) { + for (Action ac : values()) { + if (ac.name.equals(s)) { + return ac; + } + } + return null; + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java new file mode 100644 index 00000000..4d58df78 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java @@ -0,0 +1,21 @@ +package at.gv.egiz.bku.accesscontroller; + +public enum AuthenticationClass { + ANONYMOUS("anonymous"), PSEUDO_ANONYMOUS("pseudoanonymous"), CERTIFIED( + "certified"), CERTIFIED_GOV_AGENCY("certifiedGovAgency"); + + private String name; + + AuthenticationClass(String name) { + this.name = name; + } + + public static AuthenticationClass fromString(String s) { + for (AuthenticationClass ac : values()) { + if (ac.name.equals(s)) { + return ac; + } + } + return null; + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java new file mode 100644 index 00000000..2e856f06 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java @@ -0,0 +1,63 @@ +package at.gv.egiz.bku.accesscontroller; + +import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.ANONYMOUS; +import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED; +import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS; +import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED_GOV_AGENCY; + +import java.net.InetAddress; +import java.net.URL; +import java.net.UnknownHostException; +import java.security.cert.X509Certificate; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +public class AuthenticationClassifier { + private static AuthenticationClassifier instance = new AuthenticationClassifier(); + private static Log log = LogFactory.getLog(AuthenticationClassifier.class); + private final static String GOV_DOMAIN = ".gv.at"; + + private AuthenticationClassifier() { + } + + /** + * Client Certificates are currently not supported + * + */ + protected AuthenticationClass getMyAuthenticationClass(boolean isDataUrl, + URL url, X509Certificate cert) { + if (isDataUrl) { + if (url.getProtocol().equalsIgnoreCase("https")) { + try { + if (InetAddress.getByName(url.getHost()).getCanonicalHostName() + .endsWith(GOV_DOMAIN)) { + return CERTIFIED_GOV_AGENCY; + } + } catch (UnknownHostException e) { + log.error("Cannot determine host name", e); + } + if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) { + return CERTIFIED_GOV_AGENCY; + } + return CERTIFIED; + } else { + return PSEUDO_ANONYMOUS; + } + } else { + return ANONYMOUS; + } + } + + /** + * + * @param isDataUrl + * @param url if the url's protocol is https a cert parameter must be provided. + * @param cert + * @return + */ + public static AuthenticationClass getAuthenticationClass(boolean isDataUrl, + URL url, X509Certificate cert) { + return instance.getMyAuthenticationClass(isDataUrl, url, cert); + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java new file mode 100644 index 00000000..242d9b02 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java @@ -0,0 +1,71 @@ +package at.gv.egiz.bku.accesscontroller; + +import java.util.LinkedList; +import java.util.List; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import at.gv.egiz.bku.slexceptions.SLException; + +public class ChainChecker implements AccessChecker { + private static Log log = LogFactory.getLog(ChainChecker.class); + + private String id; + private List rules = new LinkedList(); + + /** + * + * @param id must not be null + */ + public ChainChecker(String id) { + if (id == null) { + throw new NullPointerException("Id argument must not be null"); + } + this.id = id; + } + + + public String getId() { + return id; + } + + public void addRule(RuleChecker rule) { + if (rule != null) { + rules.add(rule); + } + } + + @Override + public ChainResult check(AccessCheckerContext checkCtx) throws SLException { + log.debug("Processing chain: "+id); + for (RuleChecker rule : rules) { + log.trace("Checking rule: "+rule.getId()); + RuleResult result = rule.check(checkCtx); + if (result.matchFound()) { + log.debug("Found matching rule: "+rule.getId()); + if (result.getDelegateChainId() != null) { + // process chain + ChainChecker cc = AccessControllerFactory.getInstance().getChainChecker(result.getDelegateChainId()); + if (cc == null) { + log.error("Cannot delegate to chain. Unknown chain id: "+result.getDelegateChainId()); + throw new SLException(4000); + } + ChainResult cr = cc.check(checkCtx); + if (cr.matchFound()) { + return cr; + } + // if chain does not contain matching rule + // cont. here. + } else { + return result; + } + } + } + log.debug("Did not find a matching rule here"); + return new ChainResult(null, null, false); + } + + + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java new file mode 100644 index 00000000..a534f4e5 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java @@ -0,0 +1,32 @@ +package at.gv.egiz.bku.accesscontroller; + +/** + * Result of the access controller + * + */ +public class ChainResult { + private UserAction userAction; + private Action action; + private boolean matchFound; + + public ChainResult(Action action, UserAction userAction, boolean matchFound) { + this.action = action; + this.userAction = userAction; + } + + public Action getAction() { + return action; + } + + public UserAction getUserAction() { + return userAction; + } + + /** + * + * @return true if a matching rule has been found + */ + public boolean matchFound() { + return matchFound; + } +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java new file mode 100644 index 00000000..bf46034d --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java @@ -0,0 +1,69 @@ +package at.gv.egiz.bku.accesscontroller; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import at.gv.egiz.bku.slexceptions.SLRuntimeException; + +public class RuleChecker implements AccessChecker { + + private static Log log = LogFactory.getLog(RuleChecker.class); + + public static enum PEER_TYPE {HOST, IP, URL}; + + protected String id; + protected AuthenticationClass authenticationClass; + protected String commandName; + protected String peerId; + protected PEER_TYPE peerType; + protected Action action; + protected UserAction userAction; + + public RuleChecker(String id) { + if (id == null) { + throw new NullPointerException("Id argument must not be null"); + } + this.id = id; + } + + public void setAuthenticationClass(String ac) { + AuthenticationClass tmp = AuthenticationClass.fromString(ac); + if (tmp == null) { + throw new SLRuntimeException("Unknown authentication class "+ac); + } + authenticationClass = tmp; + } + + public void setAction(String ac) { + Action tmp = Action.fromString(ac); + if (tmp == null) { + throw new SLRuntimeException("Unknown action "+ac); + } + action = tmp; + } + + public void setUserAction(String uac) { + UserAction tmp = UserAction.fromString(uac); + if (tmp == null) { + throw new SLRuntimeException("Unknown user action "+uac); + } + userAction = tmp; + } + + public void setPeerId(String peerId, PEER_TYPE type) { + this.peerType = type; + this.peerId = peerId; + } + + public String getId() { + return id; + } + + @Override + public RuleResult check(AccessCheckerContext checkCtx) { + log.debug("Processing rule: "+id); + // TODO Auto-generated method stub + return null; + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java new file mode 100644 index 00000000..26f42db0 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java @@ -0,0 +1,16 @@ +package at.gv.egiz.bku.accesscontroller; + + +public class RuleResult extends ChainResult { + private String chainId; + + public RuleResult(Action action, UserAction userAction, boolean matchFound, String chainId) { + super(action, userAction, matchFound); + this.chainId = chainId; + } + + public String getDelegateChainId() { + return chainId; + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java new file mode 100644 index 00000000..307ec1e5 --- /dev/null +++ b/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java @@ -0,0 +1,20 @@ +package at.gv.egiz.bku.accesscontroller; + +public enum UserAction { + NONE("none"), INFO("info"), CONFIRM("confirm"), CONFIRM_WITH_SECRET("confirmWithSecret"); + + private String name; + + UserAction(String name) { + this.name = name; + } + + public static UserAction fromString(String s) { + for (UserAction ac : values()) { + if (ac.name.equals(s)) { + return ac; + } + } + return null; + } +} -- cgit v1.2.3