issrg.pba.rbac.x509
Class RoleBasedACParser

java.lang.Object
  extended by issrg.pba.rbac.x509.RoleBasedACParser
All Implemented Interfaces:
AuthzTokenParser, RoleBasedAuthzTokenParser

public class RoleBasedACParser
extends java.lang.Object
implements RoleBasedAuthzTokenParser

This is the implementation of the AuthTokenParser that extracts Roles from the Attribute Certificates as defined by the Policy.

This is the default AuthTokenParser used by PERMIS, when X.509 flavour is configured in using issrg.pba.rbac.CustomisePERMIS.configureX509Flavour method.

Version:
1.0
Author:
A Otenko

Constructor Summary
RoleBasedACParser()
          This is the default constructor.
RoleBasedACParser(java.util.Map m, SignatureVerifier signatureVerifier)
          The constructor takes the Map of Assignment Rules, as returned by the PolicyParser and the Signature Verifier, which can be null.
RoleBasedACParser(RoleHierarchyPolicy rhpn, SignatureVerifier signatureVerifier)
          The constructor uses the Role Hierarchy policy and the Signature Verifier to subsequently decode the Attribute Certificates.
 
Method Summary
 ParsedToken decode(java.lang.Object acB)
          This method decodes the Authorisation Token into internal representation.
protected  ParsedToken decodeX509AC(java.lang.Object acB)
          This method decodes a given Attribute Certificate.
 java.util.Map getAuthzTokenParsingRules()
          This method returns the Authorisation Token Parsing Rules, as a Map with a single entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class and the value being the RoleHierarchyPolicy used by this RoleBasedACParser.
 SignatureVerifier getSignatureVerifier()
          This method returns the SignatureVerifier used by this RoleBasedACParser.
 void setAuthzTokenParsingRules(java.util.Map m)
          This method sets the Authorisation Token Parsing Rules.
 void setRoleHierarchy(RoleHierarchyPolicy rhpn)
          This method sets the Authorisation Token Parsing Rules by directly specifying the Role Hierarchy to be used.
 void setSignatureVerifier(SignatureVerifier signatureVerifier)
          This method sets the SignatureVerifier to be used to validate the X.509 Attribute Certificates.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

RoleBasedACParser

public RoleBasedACParser()
This is the default constructor. If you instantiate the RoleBasedACParser using this constructor, the code will fail to decode any Attribute Certificates until the Role Hierarchy is set by setRoleHierarchy method.


RoleBasedACParser

public RoleBasedACParser(RoleHierarchyPolicy rhpn,
                         SignatureVerifier signatureVerifier)
The constructor uses the Role Hierarchy policy and the Signature Verifier to subsequently decode the Attribute Certificates. If Signature Verifier is specified, it will be used to validate digital signatures on the ACs; otherwise signature verification will be ignored (e.g. for testing purposes - not recommended for real life deployments).

Parameters:
rhpn - is the RoleHierarchyPolicy used to decode the role values in the Attribute Certificates; can't be null
signatureVerifier - will be used to validate digital signatures; if null, no signature verification will be performed (NOT RECOMMENDED FOR REAL DEPLOYMENT AS INSECURE!)

RoleBasedACParser

public RoleBasedACParser(java.util.Map m,
                         SignatureVerifier signatureVerifier)
The constructor takes the Map of Assignment Rules, as returned by the PolicyParser and the Signature Verifier, which can be null. The Map of Assignment Rules must contain a RoleHierarchyPolicy under the key issrg.pba.rbac.RoleHierarchyPolicy.class.

Parameters:
m - is the map of assignment rules to use
signatureVerifier - will be used to validate digital signatures; if null, no signature verification will be performed (NOT RECOMMENDED FOR REAL DEPLOYMENT AS INSECURE!)
Method Detail

getAuthzTokenParsingRules

public java.util.Map getAuthzTokenParsingRules()
This method returns the Authorisation Token Parsing Rules, as a Map with a single entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class and the value being the RoleHierarchyPolicy used by this RoleBasedACParser.

Specified by:
getAuthzTokenParsingRules in interface AuthzTokenParser
Returns:
Map of rules; this implementation fills a single entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class and the value being the RoleHierarchyPolicy; if the RoleHierarchyPolicy has not been set, the Map does not contain any entries

setSignatureVerifier

public void setSignatureVerifier(SignatureVerifier signatureVerifier)
This method sets the SignatureVerifier to be used to validate the X.509 Attribute Certificates.

Specified by:
setSignatureVerifier in interface AuthzTokenParser
Parameters:
signatureVerifier - is the SignatureVerifier used to validate the ACs; if null, no signature verification will be performed (SHOULD NOT BE USED IN PRODUCTION SCENARIOS!)

getSignatureVerifier

public SignatureVerifier getSignatureVerifier()
This method returns the SignatureVerifier used by this RoleBasedACParser.

Specified by:
getSignatureVerifier in interface AuthzTokenParser
Returns:
SignatureVerifier used by this RoleBasedACParser, or null, if no signature verification is being performed.

setAuthzTokenParsingRules

public void setAuthzTokenParsingRules(java.util.Map m)
This method sets the Authorisation Token Parsing Rules. It should contain a issrg.pba.rbac.RoleHierarchyPolicy in the entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class.

Specified by:
setAuthzTokenParsingRules in interface AuthzTokenParser
Parameters:
m - - the Map of rules with a RoleHierarchyPolicy inside

setRoleHierarchy

public void setRoleHierarchy(RoleHierarchyPolicy rhpn)
This method sets the Authorisation Token Parsing Rules by directly specifying the Role Hierarchy to be used.

Specified by:
setRoleHierarchy in interface RoleBasedAuthzTokenParser
Parameters:
rhpn - - the RoleHierarchyPolicy to be used; if null, decoding the ACs will always fail

decodeX509AC

protected ParsedToken decodeX509AC(java.lang.Object acB)
                            throws PbaException
This method decodes a given Attribute Certificate. The Object is a byte array of the BER-encoded X.509 Attribute Certificate

First it is seen if the Authorisation Token is an X.509 Attribute Certificate. If there is no SignatureVerifier provided, the next stage is skipped; otherwise the digital signature on it is verified using the Signature Verifier provided at construction time or by calling the setSignatureVerifier method. If this fails, a SignatureVerificationFailedException is thrown with the would-be-valid ParsedToken and the original object in it.

If the X.509 Attribute Certificate to be decoded contains an attribute with the OID matching one of the role types defined in the RoleHierarchyPolicy, all the values are assumed to be Printable Strings. Among these values the ones not mentioned in the RoleHierarchyPolicy are ignored; the known values are mapped into the role hierarchy, so that the resulting Credentials contained in the ParsedToken can be compared.

The attributes with OID not mentioned in the RoleHierarchyPolicy are ignored.

If an unknown critical extension is encountered, parsing of the AC fails.

If the AC contains a noAssertion extension, the ParsedToken's Credentials will be an empty set (but the delegatable Credentials may not be an empty set).

If the AC contains a basicAttributeConstraints extension, the result will be a DelegatableToken with the delegatable Credentials set to the set of Credentials contained in the AC. It will be the same as the assertable Credentials, if no noAssertion extension is there. The depth of delegation in the DelegatableToken will be the value of the basicAttributeContraints cast to a 32 bit non-negative number (should be enough to express any delegation tree in the world) with the same semantics as in basicAttributeConstraints, or "-1", if unconstrained delegation is allowed by the extension (no delegation depth was specified in the AC).

Parameters:
acB - a byte array of the BER-encoded X.509 AttributeCertificate
Returns:
the ParsedToken representing the Attribute Certificate
Throws:
PbaException, - if no Role Hierarchy Policy has been specified through the constructor or either of the methods, or if there was a problem when decoding the Authorisation Token
PbaException

decode

public ParsedToken decode(java.lang.Object acB)
                   throws PbaException
Description copied from interface: AuthzTokenParser
This method decodes the Authorisation Token into internal representation. The rest of the methods can be used to retrieve data from this token. Note that in the case that it is a malformed AuthorisationToken or is not the expected Authorisation Token, an exception will be thrown.

Specified by:
decode in interface AuthzTokenParser
Parameters:
acB - - implementation-specific object returned by the Repository; it is the authorisation token to be decoded
Returns:
ParsedToken - implementation-independent representation of the Authorization token
Throws:
PbaException - if any error occurs; for example, the given object is not a proper Authorisation Token that the implementation can handle