Clover Coverage Report
Coverage timestamp: Sun Mar 23 2008 08:24:39 GMT
Overview   Package   File
    FRAMES   NO FRAMES     
165   794   68   7.86
104   306   0.53   21
21     4.19  
1    
 
 
  PermisRBAC       Line # 151 165 68 62.4% 0.62413794
 
No Tests
 
1    /*
2    * Copyright (c) 2000-2005, University of Salford
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions are met:
7    *
8    * Redistributions of source code must retain the above copyright notice, this
9    * list of conditions and the following disclaimer.
10    *
11    * Redistributions in binary form must reproduce the above copyright notice,
12    * this list of conditions and the following disclaimer in the documentation
13    * and/or other materials provided with the distribution.
14    *
15    * Neither the name of the University of Salford nor the names of its
16    * contributors may be used to endorse or promote products derived from this
17    * software without specific prior written permission.
18    *
19    * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20    * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21    * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22    * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
23    * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24    * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25    * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26    * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27    * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28    * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29    * POSSIBILITY OF SUCH DAMAGE.
30    */
31   
32    package issrg.pba.rbac;
33   
34   
35   
36    import java.security.Principal;
37   
38    import issrg.pba.MultiAuthzTokenParser;
39    import issrg.pba.PolicyParser;
40    import issrg.pba.ParsedToken;
41    import issrg.pba.RiskAssessment;
42    import issrg.pba.Subject;
43    import issrg.pba.Target;
44    import issrg.pba.Action;
45    import issrg.pba.Credentials;
46    import issrg.pba.PbaException;
47    import issrg.pba.DecisionWithObligationException;
48    import issrg.pba.CredentialsService;
49    import issrg.pba.Response;
50    import issrg.pba.rbac.CustomisePERMIS;
51    import issrg.pba.rbac.PolicyFinder;
52    import issrg.pba.rbac.policies.AssignmentRule;
53    import issrg.utils.ACNotFoundException;
54    import issrg.utils.repository.Entry;
55    import issrg.pba.rbac.xmlpolicy.XMLPolicyParser;
56    import issrg.pba.AuthzTokenParser;
57    import issrg.utils.repository.VirtualRepository;
58    import issrg.pba.repository.AuthzTokenRepository;
59   
60    import issrg.pba.repository.UserEntry;
61    import issrg.utils.repository.AttributeRepository;
62    import issrg.utils.repository.MultiRepository;
63    import java.io.BufferedReader;
64    import java.io.ByteArrayInputStream;
65    import java.io.DataInputStream;
66    import java.io.InputStream;
67    import java.io.FileNotFoundException;
68    import java.io.FileReader;
69    import java.io.IOException;
70    import java.lang.reflect.InvocationTargetException;
71    import java.lang.reflect.Method;
72    import java.util.Date;
73    import java.util.Map;
74    import javax.naming.directory.Attribute;
75    import java.util.Vector;
76   
77    import issrg.SAWS.*; // added for MSoD
78    import org.apache.log4j.*;// added for logging
79   
80    //Bassem: added for SAWS audit trail
81    import issrg.pba.rbac.SAWSLogLevelConstant;
82   
83   
84    /**
85    * This is the Permis implementation of the PBAAPI. It works with a variety of
86    * authorization token formats, in particular, it can handle X.509 Attribute
87    * Certificates and uses Role Based access control and the policy is the XML
88    * Policy that accords to Policy10.DTD.
89    *
90    * <p>When the object has been constructed successfully, the caller (the AEF -
91    * Access decision Enforcement Function; see ISO 10181-3 access control
92    * framework; or the PEP - Policy Enforcement Point) can use the object to
93    * make access decisions for various user
94    * requests.
95    *
96    * <p>In order to make a decision the caller must obtain the user's credentials.
97    * This can be done by calling any of the range of getCreds methods, providing
98    * both Push and Pull models. If Pull model is used, the user authorisation
99    * tokens are retrieved
100    * from the repository, specified in the constructor. After that the delegation
101    * chain
102    * is established, and the user set of credentials is calculated by parsing the
103    * tokens. The PermisRBAC object uses Role attributes from the authorisation
104    * tokens, for which the OID and
105    * allowed range of values are specified in the Policy (obtained at construction
106    * time). Thus the
107    * Credentials for the user are calculated and stored in the Subject object.
108    *
109    * <p>Now the decision method can be called for the Subject as many times as the
110    * AEF or PEP decides is appropriate before the credentials become outdated and
111    * need
112    * to be refreshed. Note also that the same Subject can only be used by the
113    * PermisRBAC
114    * object that created it. It cannot be used by other PermisRBAC object(s),
115    * even
116    * if they are initialised with the same Policy OID: to check this the object
117    * ascertains
118    * if the owner of the Subject object is itself and throws an exception at
119    * decision time if
120    * it is not. This is done to ensure the credentials of the Subject are up to
121    * date
122    * and are not forged or confused with credentials obtained from another
123    * PermisRBAC instance.
124    *
125    * <p>When calling the decision method, the AEF must pass the Action that the
126    * user
127    * wants to perform, and the Target the user wants to perform the action on. A
128    * set of other contextual parameters is passed as environmental variables.
129    * They
130    * can be used by the PermisRBAC object when calculating the decision, if the
131    * Policy
132    * requires so. The decision method either returns a boolean result (true
133    * meaning grant
134    * access, false meaning deny), or throws a PbaException, when a decision
135    * cannot be
136    * made.
137    *
138    * <p>If you need to know which roles the user has got (usually it is for
139    * auditing purposes),
140    * you can extract them using the {@link issrg.pba.rbac.RoleBasedCredentials#getRoleValues getRoleValues}
141    * method of the RoleBasedCredentials object. See the example in the
142    * RoleBasedCredentials
143    * documentation for that method.
144    *
145    * @author A Otenko
146    * @author E Ball
147    * @author D W Chadwick
148    * @version 0.2
149    */
150   
 
151    public class PermisRBAC implements issrg.pba.PBAAPI{
152   
153    /**
154    * This is the name of the environmental variable used to locate the clock
155    * with current time.
156    * Its name is "time", so the XML should contain statements like this:
157    *
158    * <p><code>...&lt;!-- IF-statement goes here. It compares if current time
159    * is "after 8am" --&gt;
160    * <br>&lt;GE&gt;
161    * <br> &lt;Environment Parameter="time" Type="Time"/&gt;
162    * <br> &lt;Constant Type="Time" Value="*-*-*T8:00"/&gt;
163    * <br>&lt;/GE&gt;
164    * </code>
165    */
166    public final String TIME_VARIABLE="time";
167   
168    private Clock clock; //= CustomisePERMIS.getSystemClock();
169    private AuthzTokenRepository Repository;
170    private AuthzTokenParser authParser;
171   
172    // change private in protected
173    // date 15/11/2005
174    protected int TIMEOUT = 0;
175   
176    private PolicyFinder policyFinder;
177   
178    //Bassem:
179    private int sawsLogLevel=0;
180    private SAWSServer sawsServer=null;
181   
 
182  0 toggle protected PermisRBAC(){}
183    Logger logger = Logger.getLogger("issrg.pba.PermisRBAC");
184   
185    /**
186    * This method returns the boolean result of evaluating the Access Control
187    * Decision Function.(decision() is only here for backward compatibility. New applications should use the response() method.)
188    * @param S the subject wishing to carry out the action on the target
189    * @param A the action that the subject wishes to carry out
190    * @param T the target object on which the action is carried out
191    * @param Application_Context a list of application contextual parameters
192    *
193    * @return true, if the requested access should be granted; false otherwise
194    * @throws PbaException, if the decision could not be made, or it can't
195    * be enforced (e.g. an Obligation must be enforced - use a response
196    * method in such cases)
197    *
198    */
 
199  928 toggle public boolean decision(Subject S, Action A, Target T,
200    java.util.Map Application_Context) throws PbaException{
201  0 if (logger.isDebugEnabled())logger.debug("Decision Called");
202  0 if (logger.isDebugEnabled())logger.debug("Creating a response");
203  928 Response r = authzDecision(S, A, T, Application_Context);
204  0 if (logger.isDebugEnabled())logger.debug("Response Created");
205   
206  794 if (r.getObligations()!=null) {
207  0 DecisionWithObligationException ex=new DecisionWithObligationException("Cannot make a decision: some obligations must be enforced", r);
208  0 if((sawsLogLevel>SAWSLogLevelConstant.POLICY_CHANGE)&& (sawsServer!=null))
209  0 sawsServer.sendLogRecord(new ExceptionSAWSRecord((PbaException)ex).toBytes());
210  0 throw ex;
211    }
212   
213  794 return r.isAuthorised();
214    }
215   
216   
217    /**
218    * This method makes a decision, and in addition to that can provide a set
219    * of Obligations that the system must fulfil upon enforcement of the
220    * decision.(The method name is changed from response() to authzDecision())
221    * @param S the subject wishing to carry out the action on the target
222    * @param A the action that the subject wishes to carry out
223    * @param T the target object on which the action is carried out
224    * @param Application_Context a list of application contextual parameters
225    */
226   
 
227  1558 toggle public Response authzDecision(Subject S, Action A, Target T,
228    java.util.Map Application_Context) throws PbaException{
229  1558 long start = System.nanoTime();
230  1558 if (S==null || A==null || T==null){
231  199 PbaException exp=new PbaException("Subject, Action and Target should not be null");
232  199 if((sawsLogLevel>SAWSLogLevelConstant.POLICY_CHANGE)&& (sawsServer!=null))
233  0 sawsServer.sendLogRecord(new ExceptionSAWSRecord((PbaException)exp).toBytes());
234  199 throw exp;
235    }
236   
237  1359 if (S.getOwner()!=this){
238  0 PbaException exx=new PbaException("Cannot use the subject: created by a different object");
239  0 if((sawsLogLevel>SAWSLogLevelConstant.POLICY_CHANGE)&& (sawsServer!=null))
240  0 sawsServer.sendLogRecord(new ExceptionSAWSRecord((PbaException)exx).toBytes());
241  0 throw exx;
242    }
243   
244  1359 issrg.pba.CredentialsService cs = S.getService();
245  1359 if (cs!=null){
246  0 cs.service(S,T,A);
247    }
248  1359 if(cs instanceof RiskAssessment){
249  0 if(!((RiskAssessment)cs).assessRisk(S, T, A)){
250  0 throw new PbaException("There was a problem with the risk assesment");
251    }
252    }
253   
254  1359 Application_Context=initEnv(Application_Context);
255   
256    // added for MSoD
257  1359 Application_Context.put("Subject", S);
258   
259  1359 ((Clock)Application_Context.get(TIME_VARIABLE)).latch(); // Application_Context should contain TIME_VARIABLE after initEnv
260  1359 clock.latch();
261   
262  1359 Response response=policyFinder.getAccessPolicy().response((issrg.pba.Credentials)S.exportCreds(), A, T, Application_Context);
263   
264   
265  1058 if((!response.isAuthorised())&& (sawsLogLevel >SAWSLogLevelConstant.POLICY_CHANGE)){
266    //that is Access denies should be logged
267    // System.out.println("writing Log Access Deny to saws///////////////////////////////////////////////////");
268  17 AccessDenyRecord rec2=new AccessDenyRecord(S,A,T,Application_Context);
269  17 sawsServer.sendLogRecord(rec2.toBytes());
270    //System.out.println("Success Log DENY Access to saws////////////////////////////////////////////////////");
271    }
272   
273   
274  1058 if((response.isAuthorised())&& (sawsLogLevel >SAWSLogLevelConstant.DENY_EXCEPT)) {
275    //that is Access grants should be logged
276    // System.out.println("writing Log Grant Access to saws////////////////////////////////////////////////////");
277  18 AccessGrantRecord rec=new AccessGrantRecord(S,A,T,Application_Context);
278  18 sawsServer.sendLogRecord(rec.toBytes());
279    // System.out.println("Success Log Grant Access to saws////////////////////////////////////////////////////");
280   
281    //sawsServer.sendLogRecord("Bassem Finished my test".getBytes());
282    }
283  1058 long end = System.nanoTime();
284  1058 end = end - start;
285  1058 return response;
286    }
287   
288    /**
289    * This method returns the credentials of the subject whose Principal
290    * is supplied (e.g.&nbsp;LDAPDNPrincipal represents the Subject's LDAP DN).
291    * <b>(The PULL Model)</b>
292    *
293    * @param subjectDN is the name of the subject
294    *
295    * @return the Subject object
296    */
 
297  150 toggle public Subject getCreds(Principal subjectDN) throws PbaException{
298  150 return getCreds(subjectDN, (CredentialsService)null);
299    }
300   
301   
302    /**
303    * This method returns the credentials of the subject whose Principal
304    * is supplied (e.g.&nbsp;LDAPDNPrincipal represents the Subject's LDAP DN).
305    * <b>(The PULL Model)</b>
306    *
307    * <p>It does the same as <code>getCreds(Principal)</code>, but in
308    * addition sets a service specified by the AEF; for example session time,
309    * after which the credentials will be automatically expired.
310    *
311    * @param subjectDN is the name of the subject
312    *
313    * @return the Subject object
314    *
315    * @see getCreds(Principal)
316    */
 
317  870 toggle public Subject getCreds(Principal subjectDN,
318    CredentialsService service
319    ) throws PbaException{
320  870 return getCreds(subjectDN, null, service);
321    }
322   
323    /**
324    * This method returns the credentials of the subject whose Principal
325    * and Authorisation Tokens
326    * are supplied (e.g.&nbsp;LDAPDNPrincipal represents the Subject's LDAP DN,
327    * and byte arrays of BER-encoded Attribute Certificates represent the
328    * Authorisation Tokens).
329    * <b>(The PUSH Model)</b>
330    *
331    * @param subjectDN is the name of the subject
332    * @param creds is the array of raw Authorisation Tokens, which will be
333    * parsed by the default AuthTokenParser (e.g.&nbsp;BER-encoded X.509 ACs)
334    * or an array of ParsedTokens (already parsed by your custom code); in
335    * both cases containing the whole delegation chain must be provided
336    *
337    * @return the Subject object
338    */
 
339  643 toggle public Subject getCreds(Principal subjectDN,
340    Object [] creds
341    ) throws PbaException{
342  643 return getCreds(subjectDN, creds, null);
343    }
344   
345   
346    /**
347    * This method returns the credentials of the subject whose Principal
348    * and Authorisation Tokens
349    * are supplied (e.g.&nbsp;LDAPDNPrincipal represents the Subject's LDAP DN,
350    * and byte arrays of BER-encoded Attribute Certificates represent the
351    * Authorisation Tokens).
352    * <b>(The PUSH Model)</b>
353    *
354    * @param subjectDN is the name of the subject
355    * @param creds is the array of raw Authorisation Tokens, which will be
356    * parsed by the default AuthTokenParser (e.g.&nbsp;BER-encoded X.509 ACs)
357    * or an array of ParsedTokens (already parsed by your custom code); in
358    * both cases containing the whole delegation chain must be provided
359    * @param service is the service to attach to the credentials
360    *
361    * @return the Subject object with CredentialService attached to it
362    */
 
363  1548 toggle public Subject getCreds(Principal subjectDN,
364    Object [] creds,
365    CredentialsService service) throws PbaException{
366  1548 return getCreds(new UserEntry(subjectDN), creds, policyFinder.getRepository(), service);
367    }
368   
369   
370    /**
371    * This method returns the credentials of the subject, given the subject
372    * Principal
373    * and an array of repository URLs where his credentials are stored -
374    * semi-pull
375    * model. The method doesn't check whether all of the repositories are
376    * connectable. If they are not, a partial or even empty set of credentials
377    * will be
378    * returned.
379    *
380    * @param subject - the Principal of the subject
381    * @param urls - the array of the URLs of the repositories where the
382    * subject's
383    * credentials are stored.
384    * @param authParser - the AuthTokenParser to use when parsing the
385    * Authorisation Tokens; if null, the default AuthTokenParser will be
386    * used
387    *
388    * @return the Subject object
389    */
 
390  0 toggle public Subject getCreds(Principal subject, String [] urls, issrg.pba.AuthzTokenParser authParser) throws PbaException {
391  0 issrg.pba.repository.AuthzTokenRepository repository;
392  0 repository = new issrg.simplePERMIS.SimplePERMISAuthzTokenRepository(this.getRepositories(urls),authParser);
393   
394  0 return getCreds(new UserEntry(subject),
395    null,
396    repository,
397    null
398    );
399    }
400   
401   
402    /**
403    * This is the root of the family of all getCreds; it can do both push and
404    * pull, and can set credentials lifetime for the given subject.
405    *
406    * @param subjectDN is the identifier of the subject; when X.509 flavour is
407    * configured it must contain either
408    * the PKC subject DN, or the PKC SerialNumber and Issuer DN, or both
409    * @param creds is an array of Authorisation Tokens (e.g.&nbsp;AttributeCertificates
410    * to use (push model); can
411    * be <code>null</code> (pull model)
412    * @param repository - the AuthTokenRepository from which the missing
413    * Authorisation
414    * Tokens will be obtained; if null, the AuthTokenRepository provided at
415    * construction time will be used; if creds is not null, this parameter
416    * is ignored
417    * @param service is attached to the Subject object, and will be called each
418    * time a decision is made; this way, for example, it is possible to
419    * expire the Subject object by throwing an exception
420    */
 
421  1548 toggle protected Subject getCreds(UserEntry subjectDN,
422    Object [] creds,
423    issrg.pba.repository.AuthzTokenRepository repository,
424    CredentialsService service) throws PbaException{
425  1548 if (logger.isDebugEnabled()){
426  0 logger.debug("getCreds received: ");
427  0 logger.debug("SubjectDN: " +subjectDN.getEntryName().getName());
428    }
429  1548 if (logger.isDebugEnabled()){
430  0 if (creds == null){
431  0 if (logger.isDebugEnabled())logger.debug("Creds is empty" );
432    }else{
433  0 if (logger.isDebugEnabled())logger.debug("Creds: " + creds);
434    }
435    }
436  1548 try{
437  1548 String AttributeName="";
438  1548 if (repository==null) repository = this.Repository;
439   
440  1548 if (creds!=null){ //If pushing creds
441  678 issrg.utils.repository.VirtualRepository vRepository = new issrg.utils.repository.VirtualRepository();
442  678 repository = new issrg.simplePERMIS.SimplePERMISAuthzTokenRepository(vRepository, authParser);
443   
444  1359 for (int i=0; i<creds.length; i++){
445  681 issrg.pba.ParsedToken token = null;
446   
447  681 try{
448  681 token = authParser.decode(creds[i]);
449  681 if (logger.isDebugEnabled()){
450  0 logger.debug("[" +token.getHolder().getEntryName().getName()+ token.toString() +"] " + token.getCredentials().toString());
451    }
452   
453    }catch(PbaException e){
454  0 if((sawsLogLevel>SAWSLogLevelConstant.POLICY_CHANGE)&& (sawsServer!=null))
455  0 sawsServer.sendLogRecord(new ExceptionSAWSRecord((PbaException)e).toBytes());
456  0 token=null;
457    }
458   
459  681 if(token!=null)
460  681 vRepository.populate(subjectDN.getEntryName().getName(), CustomisePERMIS.getAttributeCertificateAttribute(), token);
461    }
462    }
463   
464    // here repository is the repository to use for retrieval
465   
466    /*
467    * TODO: at the moment I am stating -1 delegation depth - unlimited
468    */
469  1548 if (logger.isDebugEnabled()){
470  0 logger.debug("creating new PermisSubject ");
471    }
472   
473  1548 String oid =policyFinder.getPolicyOID();
474  1548 Credentials creds2=policyFinder.getAllocationPolicy().getCredentials(subjectDN, repository);
475  1349 return new issrg.pba.rbac.PermisSubject(this,
476    subjectDN.getEntryName(),
477    service,
478    oid,creds2
479    );
480    }catch (Throwable th){
481    //Bassem: need to add logging to SAWS
482  199 PbaException excp=new PbaException("Failed to get credentials: "+th.getMessage(), th);
483   
484  199 if((sawsLogLevel>SAWSLogLevelConstant.POLICY_CHANGE)&& (sawsServer!=null))
485  0 sawsServer.sendLogRecord(new ExceptionSAWSRecord(excp).toBytes());
486  199 throw excp;
487    }
488    }
489    /**
490    * This method returns the full list of environmental attributes in the current policy,
491    * which is represented as an array of environment nodes
492    * @return an array of EnvironmentNode
493    */
 
494  1 toggle public issrg.pba.rbac.xmlpolicy.ifstatement.EnvironmentNode[] getEnvAttributes() {
495  1 if (logger.isDebugEnabled()){
496  0 logger.debug("get the array of environment nodes");
497    }
498  1 XMLPolicyParser xpp = (XMLPolicyParser)this.getPolicyFinder().getParsedPolicy();
499  1 return xpp.getEnvAttributes();
500    }
501   
502    /**
503    * This method fills in the default variables that this version of
504    * PermisRBAC requires.
505    */
 
506  1359 toggle protected java.util.Map initEnv(java.util.Map env){
507  1359 if (env==null){
508  454 env=new java.util.Hashtable();
509    }
510   
511    // add your variables here
512  1359 if (env.get(TIME_VARIABLE)==null){
513  500 env.put(TIME_VARIABLE, this.clock);
514    }
515   
516  1359 return env;
517    }
518   
519    /**
520    * This method is called by gc (JVM's Garbage Collector) when the Permis
521    * RBAC object is no longer
522    * referenced.
523    */
 
524  17 toggle protected void finalize(){
525    //this.State=this.UNINITIALISED;
526    //Bassem: added for SAWS shutdiwn logging
527  17 if((sawsLogLevel>SAWSLogLevelConstant.NO_INFO)&& (sawsServer!=null)){
528    //System.out.println("Log PERMIS PDP shutdown");
529  0 ShutDownRecord rec=new ShutDownRecord();
530  0 sawsServer.sendLogRecord(rec.toBytes());
531  0 this.SAWSCloseLog();
532    }
533   
534    }
535   
536    /**
537    * This constructor constructs a PermisRBAC object based on the provided
538    * PolicyFinder Object. Using PolicyFinder, physical details of accessing
539    * and retreiving policies can be hidden from Permis.
540    *
541    * <p>Users should implement corresponsding PolicyFinder Subclass to allow
542    * PermisRBAC to access different formats of policies from different
543    * sources. A number of PolicyFinder implementations are provided by Permis.
544    *
545    * <p>Note that there is no AttributeRepository attached explicitly, so
546    * either the policy should contain a RepositoryPolicy, or PERMIS will work
547    * in push mode only.
548    *
549    * @param pf is the PolicyFinder that provides access to the policies that
550    * are used by PermisRBAC engine.
551    *
552    * @see issrg.pba.PolicyFinder
553    */
 
554  7 toggle public PermisRBAC(PolicyFinder pf) throws PbaException {
555  7 this(pf, (String[])null, null);
556    }
557   
 
558  4 toggle public void SAWSCloseLog(){
559   
560  4 if(sawsServer!=null) //case when NO_INFO level and MSoD policy exists
561    {
562  4 System.out.println("Closing autdit trail logging");
563  4 sawsServer.closeLog();
564  4 sawsServer=null;
565    }
566    }
567   
568   
569   
570   
571    /**
572    * This constructor builds a PermisRBAC object given a PolicyFinder, a URL
573    * of a single Attribute Repository with the Authorisation Tokens in it,
574    * and the AuthTokenParser to use. The Attribute Repositories are
575    * constructed from URLs using URLHandler.getRepositoryByURL, so the
576    * appropriate URLHandlers must be registered.
577    *
578    * <p>This is a shortcut for
579    * PermisRBAC(pf, new String[]{url}, authParser);
580    *
581    * @param pf - the PolicyFinder that provides the policy
582    * @param url - the URL of the single AttributeRepository with
583    * AuthorisationTokens; if null, the Repositories mentioned in the policy
584    * will be used, or PERMIS will work in push mode only, if none are
585    * specified in the policy
586    * @param authParser - the AuthTokenParser to use for parsing the
587    * Authorisation Tokens, obtained from the Attribute Repositories; if null
588    * the default AuthTokenParser will be used, as returned by
589    * CustomisePERMIS.getAuthTokenParser
590    *
591    * @see CustomisePERMIS#getAuthTokenParser
592    * @see CustomisePERMIS#addURLHandler
593    * @see URLHandler#getRepositoryByURL
594    * @see URLHandler#addProtocol(URLHandler)
595    */
 
596  0 toggle public PermisRBAC(PolicyFinder pf, String url, issrg.pba.AuthzTokenParser authParser) throws PbaException {
597  0 this(pf, url==null?(String[])null:new String[]{url}, authParser);
598    }
599   
600   
601    /**
602    * This constructor builds a PermisRBAC object given a PolicyFinder, an
603    * array of URLs
604    * of Attribute Repositories with the Authorisation Tokens in them,
605    * and the AuthTokenParser to use. The Attribute Repositories are
606    * constructed from URLs using URLHandler.getRepositoryByURL, so the
607    * appropriate URLHandlers must be registered.
608    *
609    * @param pf - the PolicyFinder that provides the policy
610    * @param urls - the URLs of the AttributeRepositories with
611    * AuthorisationTokens; if null, the Repositories mentioned in the policy
612    * will be used, or PERMIS will work in push mode only, if none are
613    * specified in the policy
614    * @param authParser - the AuthTokenParser to use for parsing the
615    * Authorisation Tokens, obtained from the Attribute Repositories; if null
616    * the default AuthTokenParser will be used, as returned by
617    * CustomisePERMIS.getAuthTokenParser
618    *
619    * @see CustomisePERMIS#getAuthTokenParser
620    * @see CustomisePERMIS#addURLHandler
621    * @see URLHandler#getRepositoryByURL
622    * @see URLHandler#addProtocol(URLHandler)
623    */
 
624  7 toggle public PermisRBAC(PolicyFinder pf, String[] urls, issrg.pba.AuthzTokenParser authParser) throws PbaException {
625  7 this(pf, getRepositories(urls), authParser);
626    }
627   
628   
629   
630   
631    /**
632    * This constructor is used by all other constructors indirectly.
633    * @param pf - the PolicyFinder that locates the policy; if null,
634    * initialisation fails
635    * @param ar - the AttributeRepository used to retrieve Authorisation
636    * Tokens; if null, PERMIS will use the repositories specified in the
637    * policy, but if no repositories are specified there,
638    * PERMIS will work only in push mode (i.e.&nbsp;calls to getCreds without
639    * pushed authorisation tokens will yield subjects with no credentials)
640    * @param authParser - the AuthTokenParser used to decode the Authorisation
641    * Tokens
642    * pushed or pulled from repository; if null, the default AuthTokenParser
643    * set in CustomisePERMIS will be used
644    *
645    * @see CustomisePERMIS#getAuthTokenParser
646    * @see CustomisePERMIS#addURLHandler
647    * @see URLHandler#getRepositoryByURL
648    * @see URLHandler#addProtocol(URLHandler)
649    */
 
650  25 toggle public PermisRBAC(PolicyFinder pf, AttributeRepository ar, issrg.pba.AuthzTokenParser authParser) throws PbaException {
651   
652   
653   
654  25 if (logger.isDebugEnabled()){
655  0 logger.debug("logging enabled");
656    }
657  0 if (pf==null) throw new PbaException("Initialisation failed: no PolicyFinder was specified");
658   
659   
660  25 policyFinder=pf;
661   
662    //Bassem: get the satlevel and SAWS server isntance
663  25 this.sawsLogLevel=policyFinder.getSATLevel();
664  25 sawsServer=policyFinder.getSAWSServer();
665   
666    //Bassem: logging into SAWS
667  25 if((sawsLogLevel>SAWSLogLevelConstant.NO_INFO)&& (sawsServer!=null)){
668  4 StartupRecord rec=new StartupRecord(policyFinder.getSOA(),policyFinder.getPolicyOID(),policyFinder.getfilepath());
669  4 sawsServer.sendLogRecord(rec.toBytes());
670    // System.out.println("Writing Startup succeeded to a SAWS server");
671    }
672   
673   
674  25 if (logger.isDebugEnabled()){
675  0 logger.debug("PolicyFinder loaded");
676    }
677  25 clock = CustomisePERMIS.getSystemClock();
678  25 if (logger.isDebugEnabled()){
679  0 logger.debug("clock set");
680    }
681  25 if (authParser==null){
682  22 if (logger.isDebugEnabled()){
683  0 logger.debug("Setting up Token Parser");
684    }
685  22 authParser = CustomisePERMIS.getAuthTokenParser();
686  22 authParser.setAuthTokenParsingRules(pf.getParsedPolicy().getAuthTokenParsingRules());
687  22 authParser.setSignatureVerifier(pf.getSV());
688  22 if (logger.isDebugEnabled()){
689  0 logger.debug(authParser.getClass().getName()+" is the authz token parser");
690  0 logger.debug("Token Parser Configured");
691    }
692    }
693    // added by Linying. If MultiAuthTokenParser is configured
694    // then set the PERMIS environment to using multiple auth token parsers
695  25 if (MultiAuthzTokenParser.class.isAssignableFrom(authParser.getClass())) CustomisePERMIS.setMultiParser(true);
696   
697  25 AttributeRepository ar1=getRepositories(pf.getParsedPolicy().getRepositoryURLs());
698  25 if (ar!=null || ar1!=null) ar=new MultiRepository(new AttributeRepository[]{ar, ar1});
699  25 if (logger.isDebugEnabled()){
700  0 logger.debug("Configuring repository");
701    }
702  25 this.Repository = ar==null?null:new issrg.simplePERMIS.SimplePERMISAuthzTokenRepository(ar, authParser);
703  25 if (logger.isDebugEnabled()){
704  0 logger.debug("Repository configured");
705    }
706  25 this.authParser = authParser;
707   
708    //Bassem: logging into SAWS
709  25 if((sawsLogLevel>SAWSLogLevelConstant.NO_INFO)&& (sawsServer!=null)){
710    //Bassem: should add the policy information
711  4 StartedRecord rec2=new StartedRecord();
712  4 sawsServer.sendLogRecord(rec2.toBytes());
713    // System.out.println("Writing Started succeeded to a SAWS server");
714    }
715    }
716   
717   
718   
719    /**
720    * This method returns the time-out parameter of the system.
721    */
 
722  0 toggle public int getTimeOut(){
723  0 return TIMEOUT;
724    }
725   
726    /**
727    * This utility method will build a MultiRepository given a list of URLs.
728    * If a repository could not be contacted, it is removed from the list.
729    * Query
730    * the getRepositories methods on MultiRepository to see what repositories
731    * are used.
732    *
733    * @param urls - the array of URLs for which a MultiRepository is built;
734    * Bad URLs or
735    * Repositories that could not be contacted, are ignored
736    *
737    * @return MultiRepository that connects to all the specified URLs
738    * simultaneously, or null, if urls is null
739    */
 
740  32 toggle public static issrg.utils.repository.MultiRepository getRepositories(String [] urls) {
741  32 if (urls==null) return null;
742  2 issrg.utils.repository.AttributeRepository [] reps = new issrg.utils.repository.AttributeRepository [urls.length];
743   
744   
745  6 for (int i=0; i<reps.length; i++){
746  4 reps[i]=null; // no repository associated with the i-th URL
747  4 try{
748  4 reps[i]= URLHandler.getRepositoryByURL(urls[i]); // try to connect to the repository
749    }catch(BadURLException bue){
750    // log the error...
751    }
752    }
753   
754    // build the multi-repository for simultaneous access to the specified repositories
755  2 return new issrg.utils.repository.MultiRepository(reps);
756    }
757   
758    /**
759    * This method builds a MultiRepository that accesses two sets of
760    * repositories
761    * simultaneously. Either or both arrays can be null.
762    *
763    * <p>This method is useful when initialising PERMIS RBAC with two sets
764    * of repositories: one read from a configuration, one obtained from a
765    * policy.
766    * Both sets are treated equally and neither is excluded from use.
767    *
768    * @param urls - the array of URLs; can be null
769    * @param urls2 - the array of URLs; can be null
770    */
 
771  0 toggle protected static issrg.utils.repository.MultiRepository getRepositories(String [] urls, String [] urls2) {
772  0 String [] u = null;
773  0 if (urls!=null || urls2!=null){
774  0 u = new String[urls.length+urls2.length];
775  0 if (urls==null) urls=new String[0];
776  0 if (urls2==null) urls2=new String[0];
777  0 System.arraycopy(urls, 0, u, 0, urls.length);
778  0 System.arraycopy(urls2, 0, u, urls.length, urls2.length);
779    }
780    // if both arrays are null, u array is null
781    // otherwise u is a combination of both arrays
782  0 return getRepositories(u);
783    }
784   
785    /**
786    * This method returns the PolicyFinder used to initialise the object.
787    * Never null.
788    */
 
789  1 toggle public PolicyFinder getPolicyFinder(){
790  1 return policyFinder;
791    }
792   
793   
794    }
 
CloverReport generated by Clover Code Coverage v2.0.3
Sun Mar 23 2008 08:29:30 GMT.		   Clover: Open Source License registered to OpenPERMIS.