From 667af128d0adfeee2aa4748ab58411c91bc4905f Mon Sep 17 00:00:00 2001 From: mcentner Date: Tue, 26 Jan 2010 16:27:04 +0000 Subject: git-svn-id: https://joinup.ec.europa.eu/svn/mocca/branches/mocca-1.2.11-sha2@600 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../egiz/bku/accesscontroller/AccessChecker.java | 23 --- .../bku/accesscontroller/AccessCheckerContext.java | 43 ----- .../accesscontroller/AccessControllerFactory.java | 153 ---------------- .../at/gv/egiz/bku/accesscontroller/Action.java | 35 ---- .../bku/accesscontroller/AuthenticationClass.java | 37 ---- .../accesscontroller/AuthenticationClassifier.java | 110 ----------- .../gv/egiz/bku/accesscontroller/ChainChecker.java | 91 --------- .../gv/egiz/bku/accesscontroller/ChainResult.java | 49 ----- .../bku/accesscontroller/CommandParamChecker.java | 68 ------- .../bku/accesscontroller/InfoboxParamChecker.java | 74 -------- .../gv/egiz/bku/accesscontroller/RuleChecker.java | 203 --------------------- .../gv/egiz/bku/accesscontroller/RuleResult.java | 32 ---- .../accesscontroller/SecurityManagerFacade.java | 118 ------------ .../gv/egiz/bku/accesscontroller/UserAction.java | 36 ---- 14 files changed, 1072 deletions(-) delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java delete mode 100644 mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java (limited to 'mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller') diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java deleted file mode 100644 index d930c74e..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessChecker.java +++ /dev/null @@ -1,23 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -import at.gv.egiz.bku.slexceptions.SLException; - -public interface AccessChecker { - public ChainResult check(AccessCheckerContext checkCtx) throws SLException; -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java deleted file mode 100644 index 60935678..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessCheckerContext.java +++ /dev/null @@ -1,43 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -import at.gv.egiz.bku.slcommands.SLCommand; - -public class AccessCheckerContext { - private SLCommand command; - private AuthenticationClass authenticationClass; - private String peerUrl; - - public AccessCheckerContext(SLCommand cmd, AuthenticationClass ac, String url) { - this.command = cmd; - this.authenticationClass = ac; - this.peerUrl = url; - } - - public SLCommand getCommand() { - return command; - } - - public AuthenticationClass getAuthenticationClass() { - return authenticationClass; - } - - public String getPeerUrl() { - return peerUrl; - } -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java deleted file mode 100644 index 19fec084..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AccessControllerFactory.java +++ /dev/null @@ -1,153 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -import java.io.InputStream; -import java.util.Hashtable; -import java.util.List; - -import javax.xml.bind.JAXBContext; -import javax.xml.bind.JAXBException; -import javax.xml.bind.Unmarshaller; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import at.gv.egiz.bku.accesscontrol.config.AccessControl; -import at.gv.egiz.bku.accesscontrol.config.Chain; -import at.gv.egiz.bku.accesscontrol.config.Command; -import at.gv.egiz.bku.accesscontrol.config.ObjectFactory; -import at.gv.egiz.bku.accesscontrol.config.Param; -import at.gv.egiz.bku.accesscontrol.config.Rule; -import at.gv.egiz.bku.accesscontroller.RuleChecker.PEER_TYPE; -import at.gv.egiz.bku.slexceptions.SLRuntimeException; - -public class AccessControllerFactory { - - private static AccessControllerFactory instance = new AccessControllerFactory(); - private static Log log = LogFactory.getLog(AccessControllerFactory.class); - private static JAXBContext jaxbContext; - public static String INPUT_CHAIN = "InputChain"; - public static String OUTPUT_CHAIN = "OutputChain"; - - static { - try { - jaxbContext = JAXBContext.newInstance(ObjectFactory.class.getPackage() - .getName()); - } catch (JAXBException e) { - log.fatal("Cannot init jaxbContext", e); - } - } - - private Hashtable chainTable = new Hashtable(); - - private AccessControllerFactory() { - } - - public static AccessControllerFactory getInstance() { - return instance; - } - - /** - * - * @param id - * @return null if there is no chain with this id. - */ - public ChainChecker getChainChecker(String id) { - return chainTable.get(id); - } - - public ChainChecker createChainChecker(String id, boolean register) { - ChainChecker cc = new ChainChecker(id); - if (register) { - chainTable.put(id, cc); - } - return cc; - } - - public void registerChainChecker(ChainChecker cc) { - chainTable.put(cc.getId(), cc); - } - - public CommandParamChecker createParamChecker(String cmd) { - if ((cmd != null) && (cmd.startsWith("Infobox"))) { - return new InfoboxParamChecker(); - } else { - return null; - } - } - - public RuleChecker createRuleChecker(Rule rule) { - RuleChecker rc; - rc = new RuleChecker(rule.getId()); - Command cmd = rule.getCommand(); - if (cmd != null) { - rc.setCommandName(cmd.getName()); - for (Param p : cmd.getParam()) { - rc.addParameter(p.getName(), p.getValue()); - } - } - rc.setAuthenticationClass(rule.getAuthClass()); - if (rule.getIPv4Address() != null) { - rc.setPeerId(rule.getIPv4Address(), PEER_TYPE.IP); - } else if (rule.getDomainName() != null) { - rc.setPeerId(rule.getDomainName(), PEER_TYPE.HOST); - } else if (rule.getURL() != null) { - rc.setPeerId(rule.getURL(), PEER_TYPE.URL); - } - rc.setAction(rule.getAction().getRuleAction()); - rc.setChainId(rule.getAction().getChainRef()); - rc.setUserAction(rule.getUserInteraction()); - return rc; - } - - public void init(InputStream is) throws JAXBException { - chainTable.clear(); - Unmarshaller unmarshaller = jaxbContext.createUnmarshaller(); - AccessControl ac = (AccessControl) unmarshaller.unmarshal(is); - List chainList = ac.getChains().getChain(); - log.debug("Found " + chainList.size() + " chains in config"); - for (Chain chain : chainList) { - log.trace("Creating chain: " + chain.getId()); - ChainChecker cc = createChainChecker(chain.getId(), false); - List ruleList = chain.getRules().getRule(); - log - .debug("Found " + ruleList.size() + " rules in chain " - + chain.getId()); - for (Rule rule : ruleList) { - log.trace("Creating rule: " + rule.getId()); - cc.addRule(createRuleChecker(rule)); - } - registerChainChecker(cc); - } - validate(); - } - - private void validate() { - for (ChainChecker chain : chainTable.values()) { - for (RuleChecker rule : chain.getRules()) { - if (rule.getChainId() != null) { - log.trace("Checking reference to chain: "+rule.getChainId()); - if (getChainChecker(rule.getChainId()) == null) { - throw new SLRuntimeException("Invalid reference to unknown chain: "+rule.getChainId()); - } - } - } - } - } - -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java deleted file mode 100644 index f3d15ad6..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/Action.java +++ /dev/null @@ -1,35 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -public enum Action { - ALLOW("allow"), DENY("deny"); - private String name; - - Action(String name) { - this.name = name; - } - - public static Action fromString(String s) { - for (Action ac : values()) { - if (ac.name.equals(s)) { - return ac; - } - } - return null; - } -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java deleted file mode 100644 index 3c442a6d..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClass.java +++ /dev/null @@ -1,37 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -public enum AuthenticationClass { - ANONYMOUS("anonymous"), PSEUDO_ANONYMOUS("pseudoanonymous"), CERTIFIED( - "certified"), CERTIFIED_GOV_AGENCY("certifiedGovAgency"); - - private String name; - - AuthenticationClass(String name) { - this.name = name; - } - - public static AuthenticationClass fromString(String s) { - for (AuthenticationClass ac : values()) { - if (ac.name.equals(s)) { - return ac; - } - } - return null; - } -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java deleted file mode 100644 index 61d3d7a5..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/AuthenticationClassifier.java +++ /dev/null @@ -1,110 +0,0 @@ -/* - * Copyright 2008 Federal Chancellery Austria and - * Graz University of Technology - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package at.gv.egiz.bku.accesscontroller; - -import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.ANONYMOUS; -import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED; -import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.CERTIFIED_GOV_AGENCY; -import static at.gv.egiz.bku.accesscontroller.AuthenticationClass.PSEUDO_ANONYMOUS; - -import java.net.URL; -import java.security.cert.CertificateParsingException; -import java.security.cert.X509Certificate; -import java.util.Collection; -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -public class AuthenticationClassifier { - private static AuthenticationClassifier instance = new AuthenticationClassifier(); - private static Log log = LogFactory.getLog(AuthenticationClassifier.class); - private final static String GOV_DOMAIN = ".gv.at"; - - private AuthenticationClassifier() { - } - - public static boolean isGovAgency(X509Certificate cert) { - String[] rdns = (cert.getSubjectX500Principal().getName()).split(","); - for (String rdn : rdns) { - if (rdn.startsWith("CN=")) { - String dns = rdn.split("=")[1]; - log.trace("Analyzing cn dn: " + dns); - if (dns.endsWith(GOV_DOMAIN)) { - return true; - } - } - } - try { - Collection> sanList = cert.getSubjectAlternativeNames(); - if (sanList != null) { - for (List san : sanList) { - log.trace("Analyzing subj. alt name: " + san); - if ((Integer) san.get(0) == 2) { - String dns = (String) san.get(1); - if (dns.endsWith(GOV_DOMAIN)) { - return true; - } - } - } - } - } catch (CertificateParsingException e) { - log.error(e); - } - if ((cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) - || (cert.getExtensionValue("1.2.40.0.10.1.1.2") != null)) { - return true; - } - return false; - } - - /** - * Client Certificates are currently not supported - * - */ - protected AuthenticationClass getMyAuthenticationClass(boolean isDataUrl, - URL url, X509Certificate cert) { - if (isDataUrl) { - if (url.getProtocol().equalsIgnoreCase("https")) { - if (isGovAgency(cert)) { - return CERTIFIED_GOV_AGENCY; - } - if (cert.getExtensionValue("1.2.40.0.10.1.1.1") != null) { - return CERTIFIED_GOV_AGENCY; - } - return CERTIFIED; - } else { - return PSEUDO_ANONYMOUS; - } - } else { - return ANONYMOUS; - } - } - - /** - * - * @param isDataUrl - * @param url - * if the url's protocol is https a cert parameter must be provided. - * @param cert - * @return - */ - public static AuthenticationClass getAuthenticationClass(boolean isDataUrl, - URL url, X509Certificate cert) { - return instance.getMyAuthenticationClass(isDataUrl, url, cert); - } -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java deleted file mode 100644 index 716f81e4..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainChecker.java +++ /dev/null @@ -1,91 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -import java.util.Collections; -import java.util.LinkedList; -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import at.gv.egiz.bku.slexceptions.SLException; - -public class ChainChecker implements AccessChecker { - private static Log log = LogFactory.getLog(ChainChecker.class); - - private String id; - private List rules = new LinkedList(); - - /** - * - * @param id must not be null - */ - public ChainChecker(String id) { - if (id == null) { - throw new NullPointerException("Id argument must not be null"); - } - this.id = id; - } - - - public String getId() { - return id; - } - - public void addRule(RuleChecker rule) { - if (rule != null) { - rules.add(rule); - } - } - - public List getRules() { - return Collections.unmodifiableList(rules); - } - - @Override - public ChainResult check(AccessCheckerContext checkCtx) throws SLException { - log.debug("Processing chain: "+id); - for (RuleChecker rule : rules) { - log.trace("Checking rule: "+rule.getId()); - RuleResult result = rule.check(checkCtx); - if (result.matchFound()) { - if (result.getDelegateChainId() != null) { - // process chain - ChainChecker cc = AccessControllerFactory.getInstance().getChainChecker(result.getDelegateChainId()); - if (cc == null) { - log.error("Cannot delegate to chain. Unknown chain id: "+result.getDelegateChainId()); - throw new SLException(4000); - } - ChainResult cr = cc.check(checkCtx); - if (cr.matchFound()) { - return cr; - } - // if chain does not contain matching rule - // cont. here. - } else { - return result; - } - } - } - log.debug("Did not find a matching rule here"); - return new ChainResult(null, null, false); - } - - - -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java deleted file mode 100644 index a5547cab..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/ChainResult.java +++ /dev/null @@ -1,49 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -/** - * Result of the access controller - * - */ -public class ChainResult { - private UserAction userAction; - private Action action; - private boolean matchFound; - - public ChainResult(Action action, UserAction userAction, boolean matchFound) { - this.action = action; - this.userAction = userAction; - this.matchFound = matchFound; - } - - public Action getAction() { - return action; - } - - public UserAction getUserAction() { - return userAction; - } - - /** - * - * @return true if a matching rule has been found - */ - public boolean matchFound() { - return matchFound; - } -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java deleted file mode 100644 index 003eb2f7..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/CommandParamChecker.java +++ /dev/null @@ -1,68 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -import java.util.LinkedList; -import java.util.List; - -import at.gv.egiz.bku.slcommands.SLCommand; - -public abstract class CommandParamChecker { - - protected List> paramList = new LinkedList>(); - - public static class Tupel { - private T key; - private Q val; - - public Tupel(T key, Q val) { - if ((key == null) || (val == null)) { - throw new NullPointerException("Tupel key and value must not be null"); - } - this.key = key; - this.val = val; - } - - public T getKey() { - return key; - } - - public Q getVal() { - return val; - } - - @SuppressWarnings("unchecked") - public boolean equals(Object other) { - if (other instanceof Tupel) { - Tupel ot = (Tupel) other; - return (key.equals(ot.key) && val.equals(ot.val)); - } - return false; - } - - public int hashCode() { - return key.hashCode(); - } - } - - public void addParameter(String key, String value) { - paramList.add(new Tupel(key, value)); - } - - public abstract boolean checkParameter(SLCommand cmd); - -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java deleted file mode 100644 index 8fa328de..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/InfoboxParamChecker.java +++ /dev/null @@ -1,74 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -import java.util.regex.Matcher; -import java.util.regex.Pattern; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import at.gv.egiz.bku.slcommands.InfoboxReadCommand; -import at.gv.egiz.bku.slcommands.SLCommand; -import at.gv.egiz.bku.slexceptions.SLRuntimeException; - -public class InfoboxParamChecker extends CommandParamChecker { - private static Log log = LogFactory.getLog(InfoboxParamChecker.class); - - public final static String INFOBOX_ID = "InfoboxIdentifier"; - public final static String PERSON_ID = "PersonIdentifier"; - public final static String DERIVED = "derived"; - - @Override - public boolean checkParameter(SLCommand cmd) { - if (paramList.size() == 0) { - return true; - } - - if (cmd instanceof InfoboxReadCommand) { - InfoboxReadCommand irc = (InfoboxReadCommand) cmd; - for (Tupel param : paramList) { - if (param.getKey().equals(INFOBOX_ID)) { - if (!param.getVal().equals(irc.getInfoboxIdentifier())) { - return false; - } - } else if (param.getKey().equals(PERSON_ID)) { - if (param.getVal().equals(DERIVED)) { - if (irc.getIdentityLinkDomainId() == null) { - return false; - } - } else { - Pattern p = Pattern.compile(param.getVal()); - Matcher m = p.matcher(irc.getIdentityLinkDomainId()); - if (!m.matches()) { - return false; - } - } - - } else { - throw new SLRuntimeException("Cannot handle parameter " - + param.getKey()); - } - } - return true; - } else { - log.error("Cannot handle parameter for command: " + cmd.getName()); - throw new SLRuntimeException("Cannot handle parameters for command: " - + cmd.getName()); - } - } -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java deleted file mode 100644 index 1cba89ef..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleChecker.java +++ /dev/null @@ -1,203 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -import java.net.InetAddress; -import java.net.MalformedURLException; -import java.net.URL; -import java.net.UnknownHostException; -import java.util.regex.Matcher; -import java.util.regex.Pattern; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import at.gv.egiz.bku.slcommands.SLCommand; -import at.gv.egiz.bku.slexceptions.SLRuntimeException; - -public class RuleChecker implements AccessChecker { - - private static Log log = LogFactory.getLog(RuleChecker.class); - - public static enum PEER_TYPE { - HOST, IP, URL - }; - - protected String id; - protected AuthenticationClass authenticationClass; - protected String commandName; - protected Pattern commandNamePattern; - protected String peerId; - protected Pattern peerIdPattern; - protected PEER_TYPE peerType; - protected Action action; - protected UserAction userAction; - protected String chainId; - protected CommandParamChecker paramChecker; - - public RuleChecker(String id) { - if (id == null) { - throw new NullPointerException("Id argument must not be null"); - } - this.id = id; - } - - public void setAuthenticationClass(String ac) { - if (ac != null) { - AuthenticationClass tmp = AuthenticationClass.fromString(ac); - if (tmp == null) { - throw new SLRuntimeException("Unknown authentication class " + ac); - } - authenticationClass = tmp; - } - } - - public void setAction(String ac) { - if (ac != null) { - Action tmp = Action.fromString(ac); - if (tmp == null) { - throw new SLRuntimeException("Unknown action " + ac); - } - action = tmp; - } - } - - public void setUserAction(String uac) { - if (uac != null) { - UserAction tmp = UserAction.fromString(uac); - if (tmp == null) { - throw new SLRuntimeException("Unknown user action " + uac); - } - userAction = tmp; - } - } - - public void setChainId(String chainId) { - this.chainId = chainId; - } - - public void setPeerId(String peerId, PEER_TYPE type) { - this.peerType = type; - this.peerId = peerId; - peerIdPattern = Pattern.compile(peerId); - } - - public void setCommandName(String commandName) { - this.commandName = commandName; - commandNamePattern = Pattern.compile(commandName); - paramChecker = AccessControllerFactory.getInstance().createParamChecker( - commandName); - } - - /** - * Make sure to set the commandName first - * - * @param key - * @param value - */ - public void addParameter(String key, String value) { - if (paramChecker == null) { - throw new IllegalArgumentException("Cannot set parameters for command " - + commandName); - } - paramChecker.addParameter(key, value); - } - - public String getId() { - return id; - } - - protected boolean matchAuthenticationClass(AuthenticationClass cls) { - if ((this.authenticationClass == null) || (cls == null)) { - return true; - } - return this.authenticationClass.compareTo(cls) <= 0; - } - - protected boolean matchCommandName(SLCommand cmd) { - if ((commandName == null) || (cmd == null)) { - return true; - } - Matcher matcher = commandNamePattern.matcher(cmd.getName()); - if (matcher.matches()) { - if (paramChecker != null) { - return paramChecker.checkParameter(cmd); - } else { - return true; - } - } else { - return false; - } - } - - protected boolean matchPeerId(String peerUrl) { - if ((peerId == null) || (peerUrl == null)) { - return true; - } - if (peerType == PEER_TYPE.URL) { - Matcher matcher = peerIdPattern.matcher(peerUrl); - return matcher.matches(); - } else { - try { - URL url = new URL(peerUrl); - if (peerType == PEER_TYPE.HOST) { - try { - String host = url.getHost(); - String hostName = InetAddress.getByName(host) - .getCanonicalHostName(); - Matcher matcher = peerIdPattern.matcher(hostName); - return matcher.matches(); - } catch (UnknownHostException e) { - log.error("Cannot resolve hostname", e); - return false; - } - } else { - try { - String hostAddr = InetAddress.getByName(url.getHost()) - .getHostAddress(); - Matcher matcher = peerIdPattern.matcher(hostAddr); - return matcher.matches(); - } catch (UnknownHostException e) { - log.error("Cannot resolve host address", e); - return false; - } - } - } catch (MalformedURLException e) { - log.error("Cannot parse url", e); - return false; - } - } - } - - @Override - public RuleResult check(AccessCheckerContext checkCtx) { - log.debug("Processing rule: " + id); - if (matchAuthenticationClass(checkCtx.getAuthenticationClass()) - && matchCommandName(checkCtx.getCommand()) - && matchPeerId(checkCtx.getPeerUrl())) { - log.debug("Match found for rule: " + id); - return new RuleResult(action, userAction, true, chainId); - } - log.debug("No match found for rule: " + id); - return new RuleResult(action, userAction, false, chainId); - } - - public String getChainId() { - return chainId; - } - -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java deleted file mode 100644 index 706615c2..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/RuleResult.java +++ /dev/null @@ -1,32 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - - -public class RuleResult extends ChainResult { - private String chainId; - - public RuleResult(Action action, UserAction userAction, boolean matchFound, String chainId) { - super(action, userAction, matchFound); - this.chainId = chainId; - } - - public String getDelegateChainId() { - return chainId; - } - -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java deleted file mode 100644 index 482d3ecb..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/SecurityManagerFacade.java +++ /dev/null @@ -1,118 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -import java.io.InputStream; - -import javax.xml.bind.JAXBException; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import at.gv.egiz.bku.slcommands.SLCommand; -import at.gv.egiz.bku.slcommands.SLSourceContext; -import at.gv.egiz.bku.slcommands.SLTargetContext; - -/** - * Facade for the access controller - */ -public class SecurityManagerFacade { - - private static Log log = LogFactory.getLog(SecurityManagerFacade.class); - - private boolean allowUnmatched = false; - private ChainChecker inputFilter = null; - private ChainChecker outputFilter = null; - - public boolean mayInvokeCommand(SLCommand cmd, SLSourceContext ctx) { - if (inputFilter != null) { - AuthenticationClass ac = AuthenticationClassifier.getAuthenticationClass( - ctx.isSourceIsDataURL(), ctx.getSourceUrl(), ctx - .getSourceCertificate()); - AccessCheckerContext acc = new AccessCheckerContext(cmd, ac, ctx - .getSourceUrl().toString()); - try { - ChainResult cr = inputFilter.check(acc); - if (cr.matchFound()) { - if (cr.getAction() == Action.ALLOW) { - return true; - } else { - return false; - } - } else { - return allowUnmatched; - } - } catch (Exception e) { - log.error(e); - return false; - } - } else { - log.warn("No input chain defined"); - return allowUnmatched; - } - } - - public boolean maySendResult(SLCommand cmd, SLTargetContext ctx) { - if (outputFilter != null) { - AuthenticationClass ac = AuthenticationClassifier.getAuthenticationClass( - ctx.isTargetIsDataURL(), ctx.getTargetUrl(), ctx - .getTargetCertificate()); - AccessCheckerContext acc = new AccessCheckerContext(cmd, ac, ctx - .getTargetUrl().toString()); - try { - ChainResult cr = outputFilter.check(acc); - if (cr.matchFound()) { - if (cr.getAction() == Action.ALLOW) { - return true; - } else { - return false; - } - } else { - return allowUnmatched; - } - } catch (Exception e) { - log.error(e); - return false; - } - } else { - log.warn("No output chain defined"); - return allowUnmatched; - } - } - - /** - * Default policy if not match was found - * - * @param allow - */ - public void setAllowUnmatched(boolean allow) { - this.allowUnmatched = allow; - } - - public void init(InputStream is) { - inputFilter = null; - outputFilter = null; - AccessControllerFactory fab = AccessControllerFactory.getInstance(); - try { - fab.init(is); - } catch (JAXBException e) { - log.error(e); - } - inputFilter = fab.getChainChecker(AccessControllerFactory.INPUT_CHAIN); - outputFilter = fab.getChainChecker(AccessControllerFactory.OUTPUT_CHAIN); - } -} diff --git a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java b/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java deleted file mode 100644 index c1f7028b..00000000 --- a/mocca-1.2.11/bkucommon/src/main/java/at/gv/egiz/bku/accesscontroller/UserAction.java +++ /dev/null @@ -1,36 +0,0 @@ -/* -* Copyright 2008 Federal Chancellery Austria and -* Graz University of Technology -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ -package at.gv.egiz.bku.accesscontroller; - -public enum UserAction { - NONE("none"), INFO("info"), CONFIRM("confirm"), CONFIRM_WITH_SECRET("confirmWithSecret"); - - private String name; - - UserAction(String name) { - this.name = name; - } - - public static UserAction fromString(String s) { - for (UserAction ac : values()) { - if (ac.name.equals(s)) { - return ac; - } - } - return null; - } -} -- cgit v1.2.3