issrg.pba.rbac.policies
Class AllocationPolicy

java.lang.Object
  extended by issrg.pba.rbac.policies.AllocationPolicy

public class AllocationPolicy
extends java.lang.Object

This class represents an Allocation and Delegation Policy. Its responsibility is to return a set of Credentials (Roles in Permis) that have been assigned to the subject in accordance with the (Role) Assignment policy and delegation rules.

This class is quite abstract and can be used for many other projects, even non-role based, and non-AC based, because it operates on abstract authorisation tokens and credentials.

The delegation model assumed is: the policy states a number of trusted Sources of Authority, along with the specification of what they can delegate and to whom; these entities can delegate their powers or subset of it (i.e. the Credentials specified in the policy or the subset of it) to the other entities that must be from their Subject Domain. This way a delegation chain is established from one of the Sources of Authority (SOAs) to the end users.

AllocationPolicy can recursively trace the delegation chains by looking up the Authorisation Tokens of the Issuer of each Authorisation Token available to it, until one of the SOAs is reached. To validate the chain, the same rule is applied on each iteration: the subordinate authority can have the same or less power as the superior authority; so a subordinate authority has the intersection of the Credentials that it has in the Authorisation Tokens with the Credentials of the superior authority, the Subject Domain is an intersection of the superior's Subject Domain and the subordinate's Subject Domain excluding the subordinate himself, the delegation depth is at most one less than the delegation depth of the superior authority.

Allocation Policy checks that the Holder principal is the same as the Subject principal and does not consider the ones that do not belong to the Subject.

Allocation Policy conceptually intersects the credentials from the Parsed Token with the credentials of the Issuer of that token, and then builds a union of all such intersections for every token, and that's what goes into the Subject object.

In reality Allocation Policy uses a RuleComparator to order the Parsed Tokens by validation priority and depending on RuleComparator logic may return a subset of all available credentials without validating all of the Parsed Tokens.

Version:
0.1
Author:
A Otenko

Field Summary
protected  Logger log
           
protected  Clock theClock
           
 
Constructor Summary
protected AllocationPolicy()
           
  AllocationPolicy(java.util.Map assignmentRules)
          This constructor builds an AllocationPolicy with the default RuleComparator; this is a shortcut to AllocationPolicy(assignmentRules, null) See that constructor for details of the meaning.
  AllocationPolicy(java.util.Map assignmentRules, RuleComparator comparator)
          The constructor builds a policy out of assignment Rules and the reference to the AuthTokenParser.
 
Method Summary
 Credentials getCredentials(TokenLocator who, AuthzTokenRepository acR)
          This method does the allocation.
 java.util.Vector validate(Entry holder, TokenLocator issuerTokenLocator, AssignmentRule rule, AuthzTokenRepository acR, java.util.Vector holders)
          This function validates a requested RAR.
 Credentials validate(Entry holder, TokenLocator issuerTokenLocator, Credentials credentials, AuthzTokenRepository acR, java.util.Vector holders)
          This method validates a requested set of Credentials.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

theClock

protected Clock theClock

log

protected Logger log
Constructor Detail

AllocationPolicy

protected AllocationPolicy()

AllocationPolicy

public AllocationPolicy(java.util.Map assignmentRules,
                        RuleComparator comparator)
The constructor builds a policy out of assignment Rules and the reference to the AuthTokenParser. The constructor updates the rules in such a way, that the SOA name becomes case insensitive.

The rule set contains a special rule, which is the coverage domain of the whole AllocationPolicy. This rule is found by using Subtree.class as the key, and the value is assumed to be a Subtree.

Parameters:
assignmentRules - is a Map of Vectors of AssignmentRule objects; the key for each AssignmentRule collection is the SOA's DN
comparator - defines the preference in validation of Authorisation Tokens, so that the most relevant ones are validated first, and the less relevant or irrelevant ones are not validated at all; if it is null, the default RuleComparator will be used as defined in CustomisePERMIS.getComparator()
See Also:
CustomisePERMIS.getComparator()

AllocationPolicy

public AllocationPolicy(java.util.Map assignmentRules)
This constructor builds an AllocationPolicy with the default RuleComparator; this is a shortcut to AllocationPolicy(assignmentRules, null) See that constructor for details of the meaning.

See Also:
AllocationPolicy(java.util.Map,RuleComparator)
Method Detail

getCredentials

public Credentials getCredentials(TokenLocator who,
                                  AuthzTokenRepository acR)
                           throws PbaException

This method does the allocation. It picks the Authorisation Tokens from the given Authorisation Token Repository (assuming it returns only valid tokens), and uses AuthTokenParser to retrieve the credentials. After that it applies each Assignment Rule to ensure that the credentials have been assigned according to the policy; all credentials that do not comply to the policy are discarded and a credentials object containing only complying credentials is returned.

Note that if the User does not match any Subject Domain, an exception will be thrown.

X.509 semantics: It picks all recognisable Roles from the given set of Attribute Certificates, then it exercises the actual Role assignment: looks what roles from the given set of ACs could have been delegated by the AC issuer. The latter step involves RoleAssignmentPolicy interpretation, with SubjectDomain matching, Role matching, SOA matching and the delegation depth matching. The resulting Role will contain validity, as calculated by combining the AC Validity time and Validity restrictions in the RoleAssignmentPolicy.

The issuer name is case insensitive.

End of recursion:
0. All the roles have been granted by the SOA (which should have been defined in the SOAPolicy)
1. The delegator is already being calculated in this recursion (somewhere down the stack). (Thus eliminating delegation loops; such delegations are invalidated; depending on the role caching mechanism, a flag can be set the role assignment to be calculated later)
2. No ACs obtained for the delegator.

Parameters:
who - is the user identifier; it contains either user DN, or the PKC Issuer DN+Serial Number; it is used when performing SubjectDomain match and to retrieve the Authorisation Tokens of the Subject
acR - is the repository with the Authorisation Tokens the user has got; it is assumed the signature has already been verified, when the Authorisation Tokens are retrieved; if null, no AuthorisationTokens can be obtained for the Subject, so only public access can be granted at decision time (an empty set of Credentials will be returned)
Throws:
PbaException

validate

public Credentials validate(Entry holder,
                            TokenLocator issuerTokenLocator,
                            Credentials credentials,
                            AuthzTokenRepository acR,
                            java.util.Vector holders)
                     throws PbaException
This method validates a requested set of Credentials.

Parameters:
holder - is the holder Entry. It is matched against the Subject Domain of the issuer's RAR
issuerTokenLocator - specifies the location of the issuer's Authorisation Tokens
credentials - is the credentials asserted by the holder and issued by the issuer identified by issuerTokenLocator
acR - is the default repository for the Authorisation Tokens; if null, the Authorisation Token Repository mentioned in the issuerTokenLocator will be used; if neither is specified, the issuer's Authorisation Tokens cannot be found and the assignment will only be validated using the RARs available in the policy
holders - is the vector that stores list of holders on the delegation path; it is used for detecting loops in assignment
Returns:
validated credentials
Throws:
PbaException

validate

public java.util.Vector validate(Entry holder,
                                 TokenLocator issuerTokenLocator,
                                 AssignmentRule rule,
                                 AuthzTokenRepository acR,
                                 java.util.Vector holders)
                          throws PbaException
This function validates a requested RAR.

Parameters:
holder - is the Entry of the holder of the asserted RAR
issuerTokenLocator - specifies the location of the issuer's Authorisation Tokens
rule - is the RAR asserted by the holder and issued by the issuer identified by issuerTokenLocator
acR - is the default repository for the Authorisation Tokens; if null, the Authorisation Token Repository mentioned in the issuerTokenLocator will be used; if neither is specified, the issuer's Authorisation Tokens cannot be found and the assignment will only be validated using the RARs available in the policy
holders - is the vector that stores list of holders on the delegation path; it is used for detecting loops in assignment
Returns:
a vector of validated RARs, each element of which is an AssignmentRule
Throws:
PbaException