Clover Coverage Report
Coverage timestamp: Sun Mar 23 2008 08:24:39 GMT
26   222   9   2.89
8   56   0.65   9
9     1.89  
1    
 
 
  AssignmentRule       Line # 49 26 9 72.1% 0.7209302
 
  (1)
 
1    /*
2    * Copyright (c) 2000-2005, University of Salford
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions are met:
7    *
8    * Redistributions of source code must retain the above copyright notice, this
9    * list of conditions and the following disclaimer.
10    *
11    * Redistributions in binary form must reproduce the above copyright notice,
12    * this list of conditions and the following disclaimer in the documentation
13    * and/or other materials provided with the distribution.
14    *
15    * Neither the name of the University of Salford nor the names of its
16    * contributors may be used to endorse or promote products derived from this
17    * software without specific prior written permission.
18    *
19    * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20    * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21    * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22    * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
23    * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24    * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25    * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26    * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27    * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28    * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29    * POSSIBILITY OF SUCH DAMAGE.
30    */
31   
32    package issrg.pba.rbac.policies;
33   
34    import issrg.pba.Credentials;
35    import issrg.pba.DelegatableToken;
36    import java.util.Vector;
37    import issrg.utils.repository.Entry;
38   
39    /**
40    * This class represents an assignment (and delegation) rule. It knows the
41    * Subject Domain to which it is applied, the delegation depth and the
42    * credentials (as obtained from the Policy) that can be assigned according to
43    * this rule.
44    *
45    * @author A Otenko
46    * @version 1.0
47    */
48   
 
49    public class AssignmentRule {
50   
51    /**
52    * This is the Subject Domain that this SOA is allowed to assign to,
53    * according to this rule.
54    */
55    private Subtree subjectDomain;
56   
57    /**
58    * This is how deep the delegation path can be, according to this rule. "-1"
59    * means unlimited delegation. Other integers should be non-negative
60    * and reflect the actual depth of delegation.
61    */
62    private int delegation;
63   
64    /**
65    * This is the set of credentials it can assign, according to this rule.
66    */
67    private issrg.pba.Credentials creds;
68   
 
69  0 toggle protected AssignmentRule(){}
70   
71    /**
72    * This is the constructor the PolicyParser should use.
73    *
74    * @param subjectDomain is the domain of subjects that the given set of
75    * credentials can be assigned to
76    * @param delegationPathLength is an integer number specifying how deep the
77    * delegation can be; set to a negative number for unlimited delegation
78    * @param SOACreds is the credentials that can be assigned to a subject from
79    * the given domain (subjectDomain)
80    */
 
81  1686 toggle public AssignmentRule(Subtree subjectDomain, int delegationPathLength,
82    issrg.pba.Credentials SOACreds) {
83    /**
84    * TODO: check for null pointers as appropriate
85    */
86  1686 this.subjectDomain = subjectDomain;
87  1686 delegation = delegationPathLength;
88  1686 creds = SOACreds;
89    }
90   
91    /**
92    * @return the Subtree of Subjects to which this rule applies
93    */
 
94  1282 toggle public Subtree getSubjectDomain() {
95  1282 return subjectDomain;
96    }
97   
98    /**
99    * @return delegation depth of the chain that starts at the Subjects
100    * (i.e. this rule allows some issuer to assign privileges to some
101    * Subjects; delegation depth tells how far those Subjects can delegate
102    * their privileges further: "0" - they can't; "1" - they can, but those to
103    * whom
104    * they delegated can't; ... "-1" - no limit on delegation is placed by
105    * this rule)
106    */
 
107  1286 toggle public int getDelegationDepth() {
108  1286 return delegation;
109    }
110   
111    /**
112    * @return the Credentials that can be assigned to the Subjects of this rule
113    */
 
114  1381 toggle public issrg.pba.Credentials getCredentials() {
115  1381 return creds;
116    }
117   
118    /**
119    * This method determines the credential set that can be delegated to the
120    * given
121    * user, delegation depth distant from this SOA/AA out of the set of assumed
122    * credentials.
123    *
124    * <p>If assignment is not allowed then it returns null, as if the
125    * intersection
126    * of credentials is null.
127    *
128    * @param him is the user's Entry that must match one of the allowed Subject
129    * Domains
130    * @param assumedCreds is the set of assumed credentials - the set, extracted
131    * from an Authorisation Token
132    *
133    * @return the Credential that the holder may legitimately be assigned by the
134    * SOA; in fact, it is the intersection of the SOA's credentials and the
135    * assumed credentials; can be null, if no Credentials can be assigned
136    */
 
137  4663 toggle public issrg.pba.Credentials allocate(Entry him, issrg.pba.Credentials assumedCreds){
138    //System.out.println("\t\t*** ASSIGNMENT RULE ***"); //*****
139  4663 if (subjectDomain.contains(him)){
140    //System.out.println("\tsubject domain matched"); //*****
141  2607 return creds.intersection(assumedCreds);
142    }
143   
144    //System.out.println("\tnothing can be assigned"); //*****
145  2056 return null;
146    }
147   
148    /**
149    * This method validates what Credentials and Assignment rules can be assigned.
150    * First it calls allocate on the Credentials from the token, to find out the
151    * set of assertable credentials.
152    * Then, if the Token is a DelegatableToken, it calls allocate on the
153    * Delegatable Credentials from the token, and computes the constraints on the
154    * delegation depth and subject domain.
155    *
156    * @param token - the token with the credentials to be assigned to the holder
157    *
158    * @return issrg.pba.rbac.SubjectCredsRules containing the set of assertable
159    * credentials and the assignment rules
160    */
 
161  0 toggle public issrg.pba.rbac.SubjectCredsRules assign(issrg.pba.ParsedToken token){
162  0 issrg.pba.Credentials assertable = allocate(token.getHolder(), token.getCredentials());
163  0 java.util.Vector rules = new java.util.Vector();
164  0 if (token instanceof DelegatableToken && delegation!=0){
165  0 DelegatableToken delTok = (DelegatableToken)token;
166  0 rules = allocate(delTok.getHolder(), new AssignmentRule(delTok.getSubjectDomain(), delTok.getDepth(), delTok.getDelegateableCredentials()));
167   
168    // DelegatableToken delTok = (DelegatableToken)token;
169    // int delegationDepth = delTok.getDepth();
170    //
171    // // delegation is never 0 here
172    // if (delegation>0 && (delegation<=delegationDepth || delegationDepth<0)) delegationDepth=delegation-1;
173    //
174    // // we can't use just assertable credentials, because some may have a noAssertion extension
175    // // so need to compute intersection again.
176    //
177    // issrg.pba.Credentials assignable = allocate(delTok.getHolder(), delTok.getDelegateableCredentials());
178    // Subtree subjDomain = delTok.getSubjectDomain();
179    //
180    // rules.add(new AssignmentRule(new IntersectionSubtree(subjectDomain, subjDomain), delegationDepth, assignable));
181    }
182   
183  0 return new issrg.pba.rbac.SubjectCredsRules(assertable, rules);
184    }
185   
186    /**
187    * This method determines the set of RARs that can be delegated to the
188    * given
189    * user, delegation depth distant from this SOA/AA out of the set of assumed
190    * RARs.
191    *
192    * <p>If assignment is not allowed then it returns an empty set of RARs.
193    *
194    * @param holder is the user's Entry that must match one of the allowed
195    * Subject
196    * Domains
197    * @param ar is the assumed RAR - as built from an Authorisation Token
198    *
199    * @return the Vector of RARs that the holder may legitimately be assigned by
200    * the
201    * SOA; in fact, it is the intersection of the SOA's RARs and the
202    * assumed RAR; each element in the Vector is an AssignmentRule
203    */
 
204  1247 toggle public Vector allocate(Entry holder, AssignmentRule ar) {
205  1247 Credentials assign=ar.getCredentials();
206  1247 Subtree subjDomain=ar.getSubjectDomain();
207  1247 int depth=ar.getDelegationDepth();
208   
209  1247 Vector rules = new Vector();
210  1247 if ((delegation != 0) && (subjectDomain.contains(holder))) {
211    // delegation is never 0 here
212  1187 if (delegation>0 && (delegation<=depth || depth<0)) depth=delegation-1;
213  1187 issrg.pba.Credentials assignable = allocate(holder, assign);
214  1187 rules.add(new AssignmentRule(new IntersectionSubtree(subjectDomain, subjDomain), depth, assignable));
215    }
216  1247 return rules;
217    }
218   
 
219  0 toggle public String toString(){
220  0 return "RAR to allocate "+creds+" to "+subjectDomain+" with delegation depth "+delegation;
221    }
222    }