Clover Coverage Report
Coverage timestamp: Sun Mar 23 2008 08:24:39 GMT
124   345   21   20.67
34   188   0.21   6
6     4.33  
1    
 
 
  MSoDPolicySet       Line # 76 124 21 92.7% 0.9268293
 
No Tests
 
1    /*
2    * Copyright (c) 2006, University of Kent
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions are met:
7    *
8    * Redistributions of source code must retain the above copyright notice, this
9    * list of conditions and the following disclaimer.
10    *
11    * Redistributions in binary form must reproduce the above copyright notice,
12    * this list of conditions and the following disclaimer in the documentation
13    * and/or other materials provided with the distribution.
14    *
15    * 1. Neither the name of the University of Kent nor the names of its
16    * contributors may be used to endorse or promote products derived from this
17    * software without specific prior written permission.
18    *
19    * 2. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
20    * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
21    * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22    * PURPOSE ARE DISCLAIMED.
23    *
24    * 3. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
25    * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
26    * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27    * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28    * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29    * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30    * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31    * POSSIBILITY OF SUCH DAMAGE.
32    *
33    * 4. YOU AGREE THAT THE EXCLUSIONS IN PARAGRAPHS 2 AND 3 ABOVE ARE REASONABLE
34    * IN THE CIRCUMSTANCES. IN PARTICULAR, YOU ACKNOWLEDGE (1) THAT THIS
35    * SOFTWARE HAS BEEN MADE AVAILABLE TO YOU FREE OF CHARGE, (2) THAT THIS
36    * SOFTWARE IS NOT "PRODUCT" QUALITY, BUT HAS BEEN PRODUCED BY A RESEARCH
37    * GROUP WHO DESIRE TO MAKE THIS SOFTWARE FREELY AVAILABLE TO PEOPLE WHO WISH
38    * TO USE IT, AND (3) THAT BECAUSE THIS SOFTWARE IS NOT OF "PRODUCT" QUALITY
39    * IT IS INEVITABLE THAT THERE WILL BE BUGS AND ERRORS, AND POSSIBLY MORE
40    * SERIOUS FAULTS, IN THIS SOFTWARE.
41    *
42    * 5. This license is governed, except to the extent that local laws
43    * necessarily apply, by the laws of England and Wales.
44    */
45   
46   
47    package issrg.pba.rbac.policies;
48   
49    import issrg.pba.PbaException;
50    import issrg.pba.rbac.xmlpolicy.XMLPolicyParser;
51    import issrg.pba.rbac.*;
52    import issrg.pba.*;
53   
54    import iaik.asn1.*;
55    import iaik.asn1.structures.AlgorithmID;
56    import iaik.utils.Util;
57   
58    import java.io.*;
59    import java.util.*;
60    import java.lang.*;
61    import java.math.*;
62    import java.text.*;
63   
64    //added for MSoD
65    import issrg.pba.rbac.RetainedADI;
66    import issrg.SAWS.*;
67   
68    /**
69    * This is the class representing the MSoD Policy. It contains a vector of MSoD rules. It determines
70    * whether a access request is allowed by the MSoD rules.
71    *
72    * @author W. Xu
73    * @version 0.1
74    */
75   
 
76    public class MSoDPolicySet {
77   
78    protected java.util.Vector msodRules;
79    protected RetainedADI retainedADI;
80    private SAWSServer sawsServer;
81    private PolicyParser pp;
82   
 
83  0 toggle protected MSoDPolicySet(){}
84   
85    /**
86    * This constructor creates the MSoDPolicySet object.
87    *
88    * @params m is a vector of MSoD rules.
89    * @params r is the retained ADI object for storing access request decisions in history.
90    * @params sawsServer is the SAWS server for recording log records for PERMIS.
91    * @params pp is the PolicyParser for PERMIS.
92    *
93    */
 
94  4 toggle public MSoDPolicySet(Vector m, RetainedADI r, SAWSServer sawsServer, PolicyParser pp){
95  4 msodRules = m;
96  4 retainedADI = r;
97  4 this.sawsServer = sawsServer;
98  4 this.pp = pp;
99  4 Vector v1 = null;
100   
101  0 while ( (v1 = sawsServer.sawsReadOneLogFile()) != null) {
102  14 addRecords(v1);
103    }
104    //this.sawsServer.sawsStart();
105    //Bassem: just start it when SAWS is created, see, simplePermisAcpolicyFinder.java
106    }
107   
108    /**
109    * This method adds a vector of decision records to the retained ADI. The lastStep decision records should be
110    * removed along with decision records with the same contextinstance.
111    *
112    * @param v is the vector of decision records.
113    *
114    * @return void
115    */
116   
 
117  14 toggle private void addRecords(Vector v){
118  94 for (int i=0; i<v.size() ; ++i ) {
119  80 DecisionRecord dr = toDecisionRecord( ((RecordBlock) v.get(i)).getRecord() );
120  80 ContextNamePrincipal instanceDN = null;
121    //bassem
122  80 if(dr==null)
123  59 continue;
124  21 try {
125  21 instanceDN = new ContextNamePrincipal(dr.getContextInstance());
126    }
127    catch (Exception e) {
128  0 e.printStackTrace();
129    }
130  21 int size = msodRules.size();
131  21 MSoDRule aMSoDRule = null;
132  163 for (int j = 0; j< size; ++j){
133  143 aMSoDRule = (MSoDRule) msodRules.get(j);
134  143 if ( aMSoDRule.contains(instanceDN) ) {
135  17 if (aMSoDRule.isLastStep(dr.getAction(), dr.getTarget() ) ) {
136  1 retainedADI.removeContext(aMSoDRule.getPolicyContext(), instanceDN);
137  1 break;
138    } else
139  16 retainedADI.add(dr);
140    }
141   
142    }
143    }
144    }
145   
146    /**
147    * This method extract a permis log record into a permis access control decision record.
148    *
149    * @param recordBlock is a permis log record in binary form.
150    *
151    * @return a decision record for retained ADI.
152    */
153   
154   
155    //Bassem: we have to verify that these are MSoD records not any other log records
156    //thus add MSoDTYPE in the block, and trim it when retrieving the record
157    //have to shift by one all of the different fields
158   
 
159  80 toggle private issrg.pba.rbac.DecisionRecord toDecisionRecord(byte[] recordBlock){
160  80 DateFormat df = DateFormat.getDateInstance();
161  80 issrg.pba.rbac.DecisionRecord dr = null;
162  80 try{
163  80 ASN1 asn1 = new ASN1(recordBlock);
164   
165  80 IA5String sType = (IA5String)asn1.getComponentAt(0);
166  80 String type=(String)sType.getValue();
167   
168  80 if(type.compareTo("PermisMSoDType")!=0)
169  59 return null;
170  21 IA5String s0 = (IA5String)asn1.getComponentAt(1);
171  21 String userID = (String)s0.getValue();
172   
173  21 s0 = (IA5String)asn1.getComponentAt(2);
174  21 String action = (String)s0.getValue();
175   
176  21 s0 = (IA5String)asn1.getComponentAt(3);
177  21 String Target = (String)s0.getValue();
178   
179  21 s0 = (IA5String)asn1.getComponentAt(4);
180  21 String contextInstance = (String)s0.getValue();
181   
182  21 s0 = (IA5String)asn1.getComponentAt(5);
183  21 Date dateTime = df.parse((String)s0.getValue()) ;
184   
185  21 Vector CredsVec = new Vector();
186  21 INTEGER i0 = (INTEGER)asn1.getComponentAt(6) ;
187  21 int roleCount = ((BigInteger)i0.getValue()).intValue();
188  46 for (int j = 0; j< roleCount ; ++j ) {
189  25 s0 = (IA5String)asn1.getComponentAt(7+j*4);
190  25 String roleValue = (String)s0.getValue();
191   
192  25 s0 = (IA5String)asn1.getComponentAt(7+j*4+1);
193  25 String roleType = (String)s0.getValue();
194   
195  25 s0 = (IA5String)asn1.getComponentAt(7+j*4+2);
196  25 String d1s = (String)s0.getValue();
197  25 Date d1 = df.parse(d1s);
198   
199  25 s0 = (IA5String)asn1.getComponentAt(7+j*4+3);
200  25 String d2s = (String)s0.getValue();
201  25 Date d2 = df.parse(d2s);
202   
203  25 AbsoluteValidityPeriod avp = new AbsoluteValidityPeriod(d1, d2);
204  25 Credentials pc = new PermisCredentials( ((XMLPolicyParser) pp).getRole(roleType, roleValue));
205  25 ExpirableCredentials ec = new ExpirableCredentials(pc, (ValidityPeriod) avp);
206  25 CredsVec.add(ec);
207    }
208  21 Credentials creds = new SetOfSubsetsCredentials (CredsVec);
209   
210  21 dr = new DecisionRecord(userID, creds, action, Target, contextInstance, dateTime);
211   
212    } catch (Exception e) {
213  0 e.printStackTrace(System.err);
214    }
215  21 return dr;
216    }
217   
218    /**
219    * This method is to create a binary array for a permis request decision record.
220    *
221    *
222    * @param dr is the decision record class
223    *
224    * @return binary array of this PERMIS block
225    */
 
226  18 toggle private byte[] toBytes(issrg.pba.rbac.DecisionRecord dr){
227  18 DateFormat df = DateFormat.getDateInstance();
228  18 SEQUENCE ASN1Seq = new SEQUENCE();
229    //Bassem: add record type (should increment the different commented numbers down by 1)
230  18 ASN1Seq.addComponent(new IA5String("PermisMSoDType"));
231   
232  18 ASN1Seq.addComponent(new IA5String(dr.getUserID())); // 0
233  18 ASN1Seq.addComponent(new IA5String(dr.getAction())); //1
234  18 ASN1Seq.addComponent(new IA5String(dr.getTarget())); //2
235  18 ASN1Seq.addComponent(new IA5String(dr.getContextInstance())); //3
236  18 ASN1Seq.addComponent(new IA5String(df.format(dr.getDateTime()))); //4
237   
238  18 Credentials creds = dr.getCreds();
239  18 int credsNumber = 0;
240  18 Vector credsV = ((SetOfSubsetsCredentials)creds).getValue();
241  18 credsNumber = credsV.size() ;
242  18 ASN1Seq.addComponent(new INTEGER(credsNumber)); //5
243   
244  38 for (int i=0; i< credsNumber; ++i){
245  20 ExpirableCredentials ec = (ExpirableCredentials) credsV.get(i);
246  20 PermisCredentials pc = (PermisCredentials) ec.getExpirable();
247  20 ValidityPeriod vp = (ValidityPeriod) ec.getValidityPeriod();
248  20 String roleValue =(String) pc.getRoleValue();
249  20 String roleType = (String) pc.getRoleType();
250  20 ASN1Seq.addComponent(new IA5String(roleValue)); // 5+1
251  20 ASN1Seq.addComponent(new IA5String(roleType)); // 5+2
252  20 Date d1 = ( (IntersectionValidityPeriod) vp ).getNotBefore();
253  20 Date d2 = ( (IntersectionValidityPeriod) vp ).getNotAfter();
254  20 ASN1Seq.addComponent(new IA5String( df.format(d1) )); //5+3
255  20 ASN1Seq.addComponent(new IA5String( df.format(d2) )); //5+4
256    }
257   
258  18 byte[] arrayASN = DerCoder.encode(ASN1Seq);
259  18 return arrayASN;
260    }
261   
262   
263    /**
264    * This method is to determine if this MSoD policy applies to this user access request.
265    * If this MSoD policy applies, then it means the user access request has broken one of the MSoD rules in this MSoD policy
266    * and it should be forbidden by this MSoD policy, and this method will return true; otherwise this method will return false.
267    *
268    * @param creds is the user credential
269    * @param a is the user action
270    * @param t is the user requested target
271    * @param environment is the environment of the decision by PERMIS
272    *
273    * @return true if this MSoD policy applies to this user requested access; otherwise false.
274    */
 
275  34 toggle public boolean separationOfDutiesApplies(issrg.pba.Credentials creds,
276    /*issrg.pba.Subject subject,*/ issrg.pba.Action a,
277    issrg.pba.Target t, java.util.Map environment) {
278    // throws issrg.utils.RFC2253ParsingException{
279   
280  34 String contextInstance = (String) environment.get("ContextInstance");
281  34 if ( contextInstance == null) {
282  0 return false;
283    }
284  34 ContextNamePrincipal instanceDN = null, maskDN = null, lastMaskDN = null;
285  34 try {
286  34 instanceDN = new ContextNamePrincipal(contextInstance);
287    }
288    catch (issrg.utils.RFC2253ParsingException e) {
289    // throw e;
290    }
291   
292  34 issrg.pba.Subject subject = (issrg.pba.rbac.PermisSubject) environment.get("Subject"); // Subject was pushed to the environment before
293   
294  34 String actionName = a.getActionName();
295  34 String userID = (String) ((issrg.pba.rbac.PermisSubject)subject).getName();
296  34 String targetName = ((PermisTarget)t).getName();
297  34 Vector historyVector = null;
298   
299  34 int size = msodRules.size();
300  34 MSoDRule aMSoDRule = null;
301  34 boolean lastStepFlag = false;
302  209 for (int i = 0; i< size; ++i){
303  191 aMSoDRule = (MSoDRule) msodRules.get(i);
304  191 if ( aMSoDRule.contains(instanceDN) ) {
305  32 boolean result =
306    aMSoDRule.separationOfDutiesApplies( retainedADI, creds, subject, a, t, environment,
307    instanceDN) ;
308  32 if ( !result) { // result==false, MSoD doesn't apply, this method may return false, access request might be granted;
309  16 if (aMSoDRule.isLastStep(actionName, targetName) ) {
310  2 lastStepFlag = true;
311  2 maskDN = aMSoDRule.getPolicyContext();
312  2 if (lastMaskDN== null) {
313  2 lastMaskDN = maskDN;
314    } else {
315  0 if (maskDN.contains(lastMaskDN) ) {
316  0 lastMaskDN = maskDN;
317    }
318    }
319    }
320   
321    } else { // result == true
322  16 return true;
323    }
324   
325    }
326   
327    }
328   
329  18 issrg.pba.rbac.DecisionRecord dr = new issrg.pba.rbac.DecisionRecord(userID, creds,
330    actionName, targetName, contextInstance,
331    CustomisePERMIS.getSystemClock().getTime());
332  18 if ( lastStepFlag) {
333  2 retainedADI.removeContext(lastMaskDN, instanceDN);
334    } else {
335  16 retainedADI.add(dr);
336    }
337  18 sawsServer.sendLogRecord(toBytes(dr) );
338  18 return false;
339   
340    }
341   
342   
343    }
344   
345