http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationAttributeCriterion.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationAttributeCriterion.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationAttributeCriterion.java new file mode 100755 index 0000000..23f00cb --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationAttributeCriterion.java @@ -0,0 +1,87 @@ +package org.openliberty.openaz.pepapi.std; + +import org.openliberty.openaz.pepapi.Obligation; + +import java.util.*; + +public final class ObligationAttributeCriterion implements ObligationCriterion { + + private String id; + + private Set<String> valueSet; + + public ObligationAttributeCriterion(String id) { + this.id = id; + this.valueSet = new HashSet<String>(); + } + + ObligationAttributeCriterion(String id, String...values) { + this(id); + if(values != null && values.length > 0){ + this.valueSet.addAll(Arrays.asList(values)); + } + } + + @Override + public int hashCode() { + final int prime = 31; + int result = 1; + result = prime * result + ((id == null) ? 0 : id.hashCode()); + result = prime * result + + ((valueSet == null) ? 0 : valueSet.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) { + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + ObligationAttributeCriterion other = (ObligationAttributeCriterion) obj; + if (id == null) { + if (other.id != null) + return false; + } else if (!id.equals(other.id)) + return false; + if (valueSet == null) { + if (other.valueSet != null) + return false; + } else if (!valueSet.equals(other.valueSet)) + return false; + return true; + } + + public String getId() { + return id; + } + + public Set<String> getValueSet() { + return Collections.unmodifiableSet(valueSet); + } + + @Override + public boolean match(Obligation obligation) { + Map<String, Object[]> obligationAttrMap = obligation.getAttributeMap(); + if(!obligationAttrMap.containsKey(this.id)) { + return false; + } + //Proceed with value matching, if the AttributeMatch has a defined value set to match. + if(!valueSet.isEmpty()) { + Object[] attributeValues = obligationAttrMap.get(this.id); + boolean valueFound = false; + if(attributeValues != null) { + for(Object attributeValue: attributeValues) { + if(valueSet.contains(attributeValue)) { + valueFound = true; + break; + } + } + } + return valueFound; + } + return true; + } +}
http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriteria.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriteria.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriteria.java new file mode 100755 index 0000000..8a32271 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriteria.java @@ -0,0 +1,28 @@ +package org.openliberty.openaz.pepapi.std; + +import org.openliberty.openaz.pepapi.Obligation; +import org.openliberty.openaz.pepapi.Matchable; + +import java.util.Collection; +import java.util.HashSet; +import java.util.Set; + +public final class ObligationCriteria implements Matchable<Obligation> { + + private Set<ObligationCriterion> criteria; + + ObligationCriteria(Collection<ObligationCriterion> criteria){ + this.criteria = new HashSet<ObligationCriterion>(); + this.criteria.addAll(criteria); + } + + @Override + public boolean match(Obligation obligation) { + for(ObligationCriterion criterion: criteria){ + if(!criterion.match(obligation)){ + return false; + } + } + return true; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriteriaBuilder.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriteriaBuilder.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriteriaBuilder.java new file mode 100755 index 0000000..3572bec --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriteriaBuilder.java @@ -0,0 +1,37 @@ +package org.openliberty.openaz.pepapi.std; + + + +import java.util.HashSet; +import java.util.Set; + + +public final class ObligationCriteriaBuilder { + + private Set<ObligationCriterion> criteria = new HashSet<ObligationCriterion>(); + + public ObligationCriteriaBuilder matchAttribute(String attributeId) { + criteria.add(new ObligationAttributeCriterion(attributeId)); + return this; + } + + public ObligationCriteriaBuilder matchAttributeWithAnyGivenValue(String attributeId, + String... values) { + criteria.add(new ObligationAttributeCriterion(attributeId, values)); + return this; + } + + public ObligationCriteriaBuilder matchAnyObligationId(String... obligationIds) { + criteria.add(new ObligationIdCriterion(obligationIds)); + return this; + } + + public ObligationCriteriaBuilder matchAnyObligation() { + criteria.add(new MatchAnyCriterion()); + return this; + } + + public final ObligationCriteria build() { + return new ObligationCriteria(criteria); + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriterion.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriterion.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriterion.java new file mode 100755 index 0000000..82d8af1 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationCriterion.java @@ -0,0 +1,10 @@ +package org.openliberty.openaz.pepapi.std; + + +import org.openliberty.openaz.pepapi.Obligation; + +public interface ObligationCriterion { + + public boolean match(Obligation obligation); + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationIdCriterion.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationIdCriterion.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationIdCriterion.java new file mode 100755 index 0000000..3763b87 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ObligationIdCriterion.java @@ -0,0 +1,25 @@ +package org.openliberty.openaz.pepapi.std; + +import org.openliberty.openaz.pepapi.Obligation; + +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + +public final class ObligationIdCriterion implements ObligationCriterion { + + private Set<String> obligationIdSet; + + public ObligationIdCriterion(String... obligationIds){ + this.obligationIdSet = new HashSet<String>(); + if(obligationIds != null) { + this.obligationIdSet.addAll(Arrays.asList(obligationIds)); + } + } + + @Override + public boolean match(Obligation obligation) { + return this.obligationIdSet.contains(obligation.getId()); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/PepUtils.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/PepUtils.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/PepUtils.java new file mode 100755 index 0000000..983a811 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/PepUtils.java @@ -0,0 +1,84 @@ +package org.openliberty.openaz.pepapi.std; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import java.io.*; +import java.util.Properties; + +/** + * + */ +public class PepUtils { + + private static final Log logger = LogFactory.getLog(PepUtils.class); + + public static Class<?> loadClass(String className) { + ClassLoader currentClassLoader = PepUtils.class.getClassLoader(); + Class<?> clazz; + try { + clazz = currentClassLoader.loadClass(className); + } catch (ClassNotFoundException e) { + ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader(); + try { + clazz = contextClassLoader.loadClass(className); + } catch (ClassNotFoundException e1) { + throw new IllegalArgumentException(e); + } + } + return clazz; + } + + + public static <T> T instantiateClass(Class<T> clazz) { + try { + return clazz.newInstance(); + } catch (InstantiationException e) { + throw new IllegalArgumentException(e); + } catch (IllegalAccessException e) { + throw new IllegalArgumentException(e); + } + } + + + public static Properties loadProperties(String propertyFile) { + Properties properties = new Properties(); + + //Try the location as a file first. + File file = new File(propertyFile); + InputStream in; + if(file.exists() && file.canRead()) { + if (!file.isAbsolute()) { + file = file.getAbsoluteFile(); + } + try { + in = new FileInputStream(file); + } catch (FileNotFoundException e) { + logger.info(propertyFile + " is not a file."); + } + } + + in = PepUtils.class.getResourceAsStream(propertyFile); + + if(in == null) { + logger.error("Invalid classpath of file location: " + propertyFile); + throw new IllegalArgumentException("Invalid classpath or file location: " + propertyFile); + } + + try { + properties.load(in); + } catch (IOException e) { + logger.error(e); + throw new IllegalArgumentException(e); + } finally { + if(in != null) { + try { + in.close(); + } catch (IOException e) { + logger.debug("Error closing stream", e); + } + } + } + return properties; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ResourceMapper.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ResourceMapper.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ResourceMapper.java new file mode 100755 index 0000000..113d781 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ResourceMapper.java @@ -0,0 +1,22 @@ +package org.openliberty.openaz.pepapi.std; + + +import org.openliberty.openaz.pepapi.Resource; + +/** + * Created by ajith on 12/11/14. + */ +public class ResourceMapper extends CategoryContainerMapper { + + public ResourceMapper() { + super(Resource.class); + } + + @Override + protected String resolveAttributeId(String attributeId) { + if(attributeId.equals(Resource.RESOURCE_ID_KEY)) { + return getPepConfig().getDefaultResourceId(); + } + return attributeId; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdAdvice.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdAdvice.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdAdvice.java new file mode 100755 index 0000000..6649bac --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdAdvice.java @@ -0,0 +1,47 @@ +package org.openliberty.openaz.pepapi.std; + +import com.att.research.xacml.api.AttributeAssignment; +import org.openliberty.openaz.pepapi.Advice; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + + +final class StdAdvice implements Advice { + + private com.att.research.xacml.api.Advice wrappedAdvice; + + StdAdvice(com.att.research.xacml.api.Advice advice) { + this.wrappedAdvice = advice; + } + + /** + * Return the Id for this Advice. + * + * @return a string containing the Id of this Advice + */ + public String getId(){ + return wrappedAdvice.getId().stringValue(); + } + + @Override + public Map<String, Object[]> getAttributeMap() { + Map<String, List<Object>> map = new HashMap<String, List<Object>>(); + for(AttributeAssignment a: wrappedAdvice.getAttributeAssignments()) { + String attributeId = a.getAttributeId().stringValue(); + List<Object> values = map.get(attributeId); + if(values == null) { + values = new ArrayList<Object>(); + map.put(attributeId, values); + } + values.add(a.getAttributeValue().getValue()); + } + Map<String, Object[]> attributeMap = new HashMap<String, Object[]>(); + for(Map.Entry<String, List<Object>> e: map.entrySet()) { + attributeMap.put(e.getKey(), e.getValue().toArray(new Object[1])); + } + return attributeMap; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdMapperRegistry.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdMapperRegistry.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdMapperRegistry.java new file mode 100755 index 0000000..1c05ab3 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdMapperRegistry.java @@ -0,0 +1,99 @@ +package org.openliberty.openaz.pepapi.std; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.*; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; + + +public final class StdMapperRegistry implements MapperRegistry { + + private static final Log logger = LogFactory.getLog(StdMapperRegistry.class); + + private final Map<Class<?>, ObjectMapper> map; + + private PepConfig pepConfig; + + private StdMapperRegistry(PepConfig pepConfig) { + //Register defaults. + this.pepConfig = pepConfig; + map = new HashMap<Class<?>, ObjectMapper>(); + registerMapper(new CollectionMapper()); + registerMapper(new ArrayMapper()); + registerMapper(new SubjectMapper()); + registerMapper(new ActionMapper()); + registerMapper(new ResourceMapper()); + registerMapper(new CategoryContainerMapper(Environment.class)); + registerMapper(new CategoryContainerMapper(CategoryContainer.class)); + registerMapper(new ActionResourcePairMapper()); + } + + public static MapperRegistry newInstance(PepConfig pepConfig) { + return new StdMapperRegistry(pepConfig); + } + + public static MapperRegistry newInstance(PepConfig pepConfig, List<ObjectMapper> mappers) { + MapperRegistry mapperRegistry = newInstance(pepConfig); + if(mappers != null) { + mapperRegistry.registerMappers(mappers); + } + return mapperRegistry; + } + + @Override + public void registerMapper(ObjectMapper mapper) { + mapper.setPepConfig(pepConfig); + mapper.setMapperRegistry(this); + map.put(mapper.getMappedClass(), mapper); + } + + @Override + public void registerMappers(Iterable<? extends ObjectMapper> mappers) { + for(ObjectMapper mapper: mappers) { + registerMapper(mapper); + } + } + + @Override + public ObjectMapper getMapper(Class<?> clazz) { + ObjectMapper mapper = null; + Class<?> c = clazz; + while(mapper == null && !c.equals(Object.class)) { + mapper = getClassMapper(c); + c = c.getSuperclass(); + } + + //Handle Arrays. + if(mapper == null) { + if(clazz.isArray()) { + mapper = getMapper(Object[].class); + } + } + + if(mapper != null) { + logger.debug("Mapper :" + mapper.getClass().getName() + " found for class: " + clazz); + return mapper; + }else { + throw new PepException("No ObjectMapper found for Object of Class: " + clazz); + } + } + + private ObjectMapper getClassMapper(Class<?> clazz) { + ObjectMapper mapper = map.get(clazz); + if(mapper == null) { + Class<?>[] interfaces = clazz.getInterfaces(); + if(interfaces != null && interfaces.length > 0) { + for(Class<?> inf: interfaces) { + mapper = map.get(inf); + if(mapper != null) { + break; + } + } + } + } + return mapper; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligation.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligation.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligation.java new file mode 100755 index 0000000..d2fd1ca --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligation.java @@ -0,0 +1,48 @@ +package org.openliberty.openaz.pepapi.std; + +import com.att.research.xacml.api.AttributeAssignment; +import org.openliberty.openaz.pepapi.Obligation; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + + +final class StdObligation implements Obligation { + + private com.att.research.xacml.api.Obligation wrappedObligation; + + StdObligation(com.att.research.xacml.api.Obligation obligation) { + this.wrappedObligation = obligation; + } + + /** + * Return the Id for this Obligation. + * + * @return a string containing the Id of this Obligation + */ + public String getId(){ + return wrappedObligation.getId().stringValue(); + } + + @Override + public Map<String, Object[]> getAttributeMap() { + Map<String, List<Object>> map = new HashMap<String, List<Object>>(); + for(AttributeAssignment a: wrappedObligation.getAttributeAssignments()) { + String attributeId = a.getAttributeId().stringValue(); + List<Object> values = map.get(attributeId); + if(values == null) { + values = new ArrayList<Object>(); + map.put(attributeId, values); + } + values.add(a.getAttributeValue().getValue()); + } + + Map<String, Object[]> attributeMap = new HashMap<String, Object[]>(); + for(Map.Entry<String, List<Object>> e: map.entrySet()) { + attributeMap.put(e.getKey(), e.getValue().toArray(new Object[1])); + } + return attributeMap; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligationHandlerRegistry.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligationHandlerRegistry.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligationHandlerRegistry.java new file mode 100755 index 0000000..488ce5b --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligationHandlerRegistry.java @@ -0,0 +1,106 @@ +package org.openliberty.openaz.pepapi.std; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.Obligation; +import org.openliberty.openaz.pepapi.ObligationHandler; +import org.openliberty.openaz.pepapi.ObligationHandlerRegistry; +import org.openliberty.openaz.pepapi.Attribute; +import org.openliberty.openaz.pepapi.MatchAllObligationAttributes; +import org.openliberty.openaz.pepapi.MatchAnyObligation; +import org.openliberty.openaz.pepapi.Matchable; + +import java.lang.annotation.Annotation; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +/** + * An <code>ObligationHandlerRegistry</code> implementation that accept handler classes that are either ObligationHandler instances + * or contain any of the following annotations - <code> @MatchAnyObligation, @MatchAllObligationAttributes</code> + * that represents Obligation criteria for registration. + * + * @author Ajith Nair + * + */ +public class StdObligationHandlerRegistry implements ObligationHandlerRegistry { + + private static final Log logger = LogFactory.getLog(StdObligationHandlerRegistry.class); + + private final Map<Class<?>, Matchable<Obligation>> oHandlerCriteriaMap; + + private StdObligationHandlerRegistry(List<?> oHandlers) { + oHandlerCriteriaMap = new HashMap<Class<?>, Matchable<Obligation>>(); + for (Object oHandler : oHandlers) { + Class<?> oHandlerClass = oHandler.getClass(); + Matchable<Obligation> matchable = null; + if(oHandler instanceof ObligationHandler) { + matchable = (ObligationHandler)oHandler; + }else { + matchable = processAnnotation(oHandlerClass); + } + + if (matchable != null) { + oHandlerCriteriaMap.put(oHandlerClass, matchable); + }else { + logger.error("Obligation Handler Class: " + oHandlerClass + + " is not an instance of ObligationHandler or doesn't contain a valid Annotation"); + throw new IllegalArgumentException("Obligation Handler Class: " + oHandlerClass + + " is not an instance of ObligationHandler or doesn't contain a valid Annotation"); + } + } + } + + /** + * Process Annotations in the classes provided and translate those into <code>ObligationCriteria</code>. + * + * @param oHandlerClass + * @return an ObligationCriteria instance. + */ + private ObligationCriteria processAnnotation(Class<?> oHandlerClass) { + ObligationCriteria criteria = null; + for (Annotation a : oHandlerClass.getAnnotations()) { + if (a.annotationType().equals(MatchAnyObligation.class)) { + String[] obligationIds = ((MatchAnyObligation) a).value(); + ObligationCriteriaBuilder criteriaBuilder = new ObligationCriteriaBuilder(); + if (obligationIds != null && obligationIds.length > 0) { + criteriaBuilder.matchAnyObligationId(obligationIds); + } else { + criteriaBuilder.matchAnyObligation(); + } + criteria = criteriaBuilder.build(); + } else if (a.annotationType().equals(MatchAllObligationAttributes.class)) { + ObligationCriteriaBuilder criteriaBuilder = new ObligationCriteriaBuilder(); + MatchAllObligationAttributes attributeObligationAnnotation = + (MatchAllObligationAttributes) a; + for (Attribute attribute : attributeObligationAnnotation.value()) { + String attributeId = attribute.id(); + String[] anyValue = attribute.anyValue(); + if (anyValue != null && anyValue.length > 0) { + criteriaBuilder.matchAttributeWithAnyGivenValue( + attributeId, anyValue); + } else { + criteriaBuilder.matchAttribute(attributeId); + } + } + criteria = criteriaBuilder.build(); + } + } + return criteria; + } + + /** + * Returns a new instance of <code>StdObligationHandlerRegistry</code>. + * + * @param oHandlers + * @return + */ + public static ObligationHandlerRegistry newInstance(List<?> oHandlers) { + return new StdObligationHandlerRegistry(oHandlers); + } + + @Override + public Map<Class<?>, Matchable<Obligation>> getRegisteredHandlerMap() { + return this.oHandlerCriteriaMap; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligationRouter.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligationRouter.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligationRouter.java new file mode 100755 index 0000000..6cf3b2c --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdObligationRouter.java @@ -0,0 +1,87 @@ +package org.openliberty.openaz.pepapi.std; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.Obligation; +import org.openliberty.openaz.pepapi.ObligationHandlerRegistry; +import org.openliberty.openaz.pepapi.ObligationRouter; +import org.openliberty.openaz.pepapi.UnhandleableObligationException; +import org.openliberty.openaz.pepapi.Matchable; + +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Set; + +/** + * Entity that routes obligations at runtime. + * + * @see org.openliberty.openaz.pepapi.Obligation + * @author Ajith Nair + */ +public final class StdObligationRouter implements ObligationRouter { + + private static final Log logger = LogFactory.getLog(StdObligationRouter.class); + + private final ObligationHandlerRegistry registrationHandler; + + private final ThreadLocalObligationStore obligationStore; + + StdObligationRouter(ObligationHandlerRegistry registrationHandler, + ThreadLocalObligationStore threadLocalOStore) { + this.registrationHandler = registrationHandler; + this.obligationStore = threadLocalOStore; + } + + public static StdObligationRouter newInstance( + ObligationHandlerRegistry registrationHandler, + ThreadLocalObligationStore threadLocalOStore) { + return new StdObligationRouter(registrationHandler, + threadLocalOStore); + } + + /** + * Handles runtime obligations and routes to appropriate policy enforcement points as required. + * + * @param obligationMap a <code>Map</code> of <code>Obligation</code>s keyed by Obligation ID. + * @throws org.openliberty.openaz.pepapi.UnhandleableObligationException if an Obligation cannot be handled/routed. + */ + @Override + public void routeObligations(Map<String, Obligation> obligationMap) { + //Clear any stale Obligations on the current thread. + obligationStore.clear(); + if(obligationMap != null) { + Map<Class<?>, Set<Obligation>> obligationMapByHandlerClass + = new HashMap<Class<?>, Set<Obligation>>(); + for(Entry<String, Obligation> oe: obligationMap.entrySet()) { + boolean isObligationHandleable = false; + String obligationId = oe.getKey(); + Obligation obligation = oe.getValue(); + for(Entry<Class<?>, Matchable<Obligation>> pe : + this.registrationHandler.getRegisteredHandlerMap().entrySet()) { + Class<?> handlerClass = pe.getKey(); + Matchable<Obligation> matchable = pe.getValue(); + if(matchable.match(obligation)) { + Set<Obligation> handlerObligationSet = obligationMapByHandlerClass.get(handlerClass); + if(handlerObligationSet == null){ + handlerObligationSet = new HashSet<Obligation>(); + obligationMapByHandlerClass.put(handlerClass, handlerObligationSet); + } + handlerObligationSet.add(obligation); + isObligationHandleable = true; + if(logger.isDebugEnabled()) { + logger.debug("Obligation - " + obligationId + " matched by Handler - " + handlerClass); + } + } + } + if(!isObligationHandleable) { + throw new UnhandleableObligationException( + "No ObligationHandlers available for handling Obligation: " + + oe.getKey()); + } + } + obligationStore.setObligations(obligationMapByHandlerClass); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepAgent.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepAgent.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepAgent.java new file mode 100755 index 0000000..519eefb --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepAgent.java @@ -0,0 +1,192 @@ +package org.openliberty.openaz.pepapi.std; + +import com.att.research.xacml.api.Request; +import com.att.research.xacml.api.Response; +import com.att.research.xacml.api.Result; +import com.att.research.xacml.api.pdp.PDPEngine; +import com.att.research.xacml.api.pdp.PDPEngineFactory; +import com.att.research.xacml.api.pdp.PDPException; +import com.att.research.xacml.std.json.JSONRequest; +import com.att.research.xacml.std.json.JSONResponse; +import com.att.research.xacml.std.json.JSONStructureException; +import com.att.research.xacml.util.FactoryException; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.*; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.util.ArrayList; +import java.util.List; +import java.util.Properties; + + +final class StdPepAgent implements PepAgent { + + @SuppressWarnings("unused") + private static final Log logger = LogFactory.getLog(StdPepAgent.class); + + private Properties xacmlProperties; + + private PepConfig pepConfig; + + private PDPEngine pdpEngine; + + private PDPEngineFactory pdpEngineFactory; + + private List<ObligationStoreAware> obligationHandlers; + + private PepRequestFactory pepRequestFactory; + + private PepResponseFactory pepResponseFactory; + + StdPepAgent() { + obligationHandlers = new ArrayList<ObligationStoreAware>(); + } + + final void initialize() { + assert(pdpEngineFactory != null); + + //Instantiate PDPEngine + if(pdpEngine == null) { + try { + pdpEngine = pdpEngineFactory.newEngine(xacmlProperties); + } catch (FactoryException e) { + throw new PepException(e); + } + } + + List<ObjectMapper> objectMappers = new ArrayList<ObjectMapper>(); + for(String mapperClassName: pepConfig.getMapperClassNames()) { + Class<? extends ObjectMapper> clazz = (Class<? extends ObjectMapper>)PepUtils.loadClass(mapperClassName); + objectMappers.add(PepUtils.instantiateClass(clazz)); + } + MapperRegistry mapperRegistry = StdMapperRegistry.newInstance(pepConfig, objectMappers); + + ObligationRouter oRouter = null; + if(!obligationHandlers.isEmpty()) { + ObligationHandlerRegistry oHandlerRegistry = StdObligationHandlerRegistry.newInstance(obligationHandlers); + ThreadLocalObligationStore oStore = ThreadLocalObligationStore.newInstance(); + for(ObligationStoreAware oHandler: obligationHandlers) { + oHandler.setObligationStore(oStore); + } + oRouter = StdObligationRouter.newInstance(oHandlerRegistry, oStore); + } + + //Instantiate PepRequestFactory + pepRequestFactory = new StdPepRequestFactory(pepConfig, mapperRegistry); + //Instantiate PepResponseFactory + pepResponseFactory = new StdPepResponseFactory(pepConfig, oRouter); + } + + @Override + public PepResponse decide(Object... objects) { + return decide(pepRequestFactory.newPepRequest(objects)).get(0); + } + + @Override + public PepResponse simpleDecide(String subjectId, String actionId, + String resourceId) { + return decide(Subject.newInstance(subjectId), Action.newInstance(actionId), Resource.newInstance(resourceId)); + } + + @Override + public List<PepResponse> bulkDecide(List<?> actionResourcePairs, Object... objects) { + return decide(pepRequestFactory.newBulkPepRequest(actionResourcePairs, objects)); + } + + private List<PepResponse> decide(PepRequest pepRequest) { + List<PepResponse> pepResponses = new ArrayList<PepResponse>(); + Request request = pepRequest.getWrappedRequest(); + + //Log request + if(logger.isDebugEnabled()) { + logRequest(request); + } + + Response response; + try { + response = pdpEngine.decide(request); + } catch (PDPException e) { + logger.error(e); + throw new PepException(e); + } + + //Log the response + if(logger.isDebugEnabled()) { + logResponse(response); + } + + for(Result result: response.getResults()) { + pepResponses.add(pepResponseFactory.newPepResponse(result)); + } + return pepResponses; + } + + private void logRequest(Request request) { + ByteArrayOutputStream out = new ByteArrayOutputStream(); + try { + JSONRequest.convert(request, out); + logger.debug(out.toString("UTF-8")); + } catch (IOException e) { + logger.debug("Error printing XACML request in JSON", e); + } catch (JSONStructureException e) { + logger.debug("Error printing XACML request in JSON", e); + }finally { + if(out != null) { + try { + out.close(); + } catch (IOException e) { + logger.debug("Error closing stream"); + } + } + } + } + + private void logResponse(Response response) { + ByteArrayOutputStream out = new ByteArrayOutputStream(); + try { + JSONResponse.convert(response, out); + logger.debug(out.toString("UTF-8")); + } catch (IOException e) { + logger.debug("Error printing XACML response in JSON", e); + } catch (JSONStructureException e) { + logger.debug("Error printing XACML response in JSON", e); + }finally { + if(out != null) { + try { + out.close(); + } catch (IOException e) { + logger.debug("Error closing stream"); + } + } + } + } + + public PDPEngine getPdpEngine() { + return pdpEngine; + } + + public PepConfig getPepConfig() { + return pepConfig; + } + + void setPdpEngineFactory(PDPEngineFactory pdpEngineFactory) { + this.pdpEngineFactory = pdpEngineFactory; + } + + void setPepConfig(PepConfig pepConfig) { + this.pepConfig = pepConfig; + } + + void setXacmlProperties(Properties properties) { + this.xacmlProperties = properties; + } + + void setObligationHandlers(List<ObligationStoreAware> obligationHandlers) { + if(obligationHandlers != null) { + this.obligationHandlers = new ArrayList<ObligationStoreAware>(); + this.obligationHandlers.addAll(obligationHandlers); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepAgentFactory.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepAgentFactory.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepAgentFactory.java new file mode 100755 index 0000000..bcff6fd --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepAgentFactory.java @@ -0,0 +1,59 @@ +package org.openliberty.openaz.pepapi.std; + +import com.att.research.xacml.api.pdp.PDPEngineFactory; +import com.att.research.xacml.util.FactoryException; +import org.openliberty.openaz.pepapi.*; + +import java.util.List; +import java.util.Properties; + + +public class StdPepAgentFactory implements PepAgentFactory { + + private volatile PepAgent pepAgent; + + private PDPEngineFactory pdpEngineFactory; + + private Properties xacmlProperties; + + private PepConfig pepConfig; + + private List<ObligationStoreAware> obligationHandlers; + + public StdPepAgentFactory(String propertyFile) { + this(PepUtils.loadProperties(propertyFile)); + } + + public StdPepAgentFactory(Properties properties) { + this.xacmlProperties = properties; + this.pepConfig = new StdPepConfig(properties); + try { + //FIXME: Error when invoking newInstance() with properties. + pdpEngineFactory = PDPEngineFactory.newInstance(); + } catch (FactoryException e) { + throw new PepException(e); + } + } + + @Override + public PepAgent getPepAgent() { + if(pepAgent == null) { + synchronized(this) { + if(this.pepAgent == null) { + StdPepAgent pa = new StdPepAgent(); + pa.setPepConfig(pepConfig); + pa.setXacmlProperties(xacmlProperties); + pa.setPdpEngineFactory(pdpEngineFactory); + pa.setObligationHandlers(obligationHandlers); + pa.initialize(); + pepAgent = pa; + } + } + } + return pepAgent; + } + + public void setObligationHandlers(List<ObligationStoreAware> obligationHandlers) { + this.obligationHandlers = obligationHandlers; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepConfig.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepConfig.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepConfig.java new file mode 100755 index 0000000..7aee915 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepConfig.java @@ -0,0 +1,144 @@ +package org.openliberty.openaz.pepapi.std; + +import com.att.research.xacml.api.XACML3; +import com.google.common.base.Splitter; +import org.apache.commons.lang3.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.PepConfig; +import org.openliberty.openaz.pepapi.PepResponseBehavior; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.Properties; + + +public final class StdPepConfig implements PepConfig { + + private static final Log logger = LogFactory.getLog(StdPepConfig.class); + + private static final String PEP_ISSUER = "pep.issuer"; + + private static final String PEP_DEFAULT_SUBJECT_ID = "pep.subject.id"; + + private static final String PEP_DEFAULT_ACTION_ID = "pep.action.id"; + + private static final String PEP_DEFAULT_RESOURCE_ID = "pep.resource.id"; + + private static final String PEP_INDETERMINATE_BEHAVIOR = "pep.indeterminate.behavior"; + + private static final String PEP_NOTAPPLICABLE_BEHAVIOR = "pep.notapplicable.behavior"; + + private static final String PEP_MAPPER_CLASSES = "pep.mapper.classes"; + + private String issuer; + + private String subjectIdURI; + + private String actionIdURI; + + private String resourceIdURI; + + private PepResponseBehavior indeterminateBehavior; + + private PepResponseBehavior notApplicableBehavior; + + private List<String> mapperClassNames; + + public StdPepConfig() { + //Defaults + subjectIdURI = XACML3.ID_SUBJECT_SUBJECT_ID.stringValue(); + actionIdURI = XACML3.ID_ACTION_ACTION_ID.stringValue(); + resourceIdURI = XACML3.ID_RESOURCE_RESOURCE_ID.stringValue(); + indeterminateBehavior = PepResponseBehavior.THROW_EXCEPTION; + notApplicableBehavior = PepResponseBehavior.RETURN_NO; + mapperClassNames = Collections.EMPTY_LIST; + } + + public StdPepConfig(Properties properties) { + this(); + issuer = properties.getProperty(PEP_ISSUER); + + String subjectIdURI = properties.getProperty(PEP_DEFAULT_SUBJECT_ID); + if(!StringUtils.isEmpty(subjectIdURI)){ + this.subjectIdURI = subjectIdURI; + } + + String actionIdURI = properties.getProperty(PEP_DEFAULT_ACTION_ID); + if(!StringUtils.isEmpty(actionIdURI)) { + this.actionIdURI = actionIdURI; + } + + String resourceIdURI = properties.getProperty(PEP_DEFAULT_RESOURCE_ID); + if(!StringUtils.isEmpty(resourceIdURI)) { + this.resourceIdURI = resourceIdURI; + } + + String indeterminateString = properties.getProperty(PEP_INDETERMINATE_BEHAVIOR); + if(!StringUtils.isEmpty(indeterminateString)) { + PepResponseBehavior indeterminateBehavior = PepResponseBehavior.valueOf(indeterminateString); + if(indeterminateBehavior == null) { + logger.error("Invalid indeterminate behavior found in configuration."); + //TODO: Throw exception ? + } + this.indeterminateBehavior = indeterminateBehavior; + } + + String notapplicableString = properties.getProperty(PEP_NOTAPPLICABLE_BEHAVIOR); + if(!StringUtils.isEmpty(notapplicableString)) { + PepResponseBehavior notApplicableBehavior = PepResponseBehavior.valueOf(notapplicableString); + if(notApplicableBehavior == null) { + logger.error("Invalid notapplicable behavior found in configuration."); + //TODO: Throw exception ? + } + this.notApplicableBehavior = notApplicableBehavior; + } + + + String mapperClassNameString = properties.getProperty(PEP_MAPPER_CLASSES); + if(!StringUtils.isEmpty(mapperClassNameString)) { + List mapperClassNames = new ArrayList<String>(); + for(String className: Splitter.on(",").omitEmptyStrings().trimResults().split(mapperClassNameString)) { + mapperClassNames.add(className); + } + this.mapperClassNames = Collections.unmodifiableList(mapperClassNames); + } + + } + + @Override + public String getIssuer() { + return issuer; + } + + @Override + public String getDefaultSubjectId() { + return subjectIdURI; + } + + @Override + public String getDefaultResourceId() { + return resourceIdURI; + } + + @Override + public String getDefaultActionId() { + return actionIdURI; + } + + @Override + public PepResponseBehavior getIndeterminateBehavior() { + return indeterminateBehavior; + } + + @Override + public PepResponseBehavior getNotApplicableBehavior() { + return notApplicableBehavior; + } + + @Override + public List<String> getMapperClassNames() { + return mapperClassNames; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequest.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequest.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequest.java new file mode 100755 index 0000000..3b08374 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequest.java @@ -0,0 +1,91 @@ +package org.openliberty.openaz.pepapi.std; + +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.api.Request; +import com.att.research.xacml.std.StdMutableRequest; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.*; + +import java.util.HashMap; +import java.util.Map; +import java.util.concurrent.atomic.AtomicInteger; + + +final class StdPepRequest implements PepRequest { + + private static final String REQUEST_ATTR_ID_PREFIX = "attributes"; + + private static final Log logger = LogFactory.getLog(StdPepRequest.class); + + private final StdMutableRequest wrappedRequest; + + private final Map<Identifier, PepRequestAttributes> pepRequestAttributesMapByCategory; + + private final MapperRegistry mapperRegistry; + + private final PepConfig pepConfig; + + private final Object[] requestObjects; + + private final AtomicInteger idCounter; + + static StdPepRequest newInstance(PepConfig pepConfig, MapperRegistry mapperRegistry, Object[] requestObjects) { + StdPepRequest stdPepRequest = new StdPepRequest(pepConfig, mapperRegistry, requestObjects); + stdPepRequest.map(); + return stdPepRequest; + } + + /** + * + * @return + */ + private String generateRequestAttributesXmlId() { + return REQUEST_ATTR_ID_PREFIX + idCounter.getAndIncrement(); + } + + private StdPepRequest(PepConfig pepConfig, MapperRegistry mapperRegistry, Object[] requestObjects) { + this.pepConfig = pepConfig; + this.mapperRegistry = mapperRegistry; + this.requestObjects = requestObjects; + this.pepRequestAttributesMapByCategory = new HashMap<Identifier, PepRequestAttributes>(); + this.idCounter = new AtomicInteger(1); + this.wrappedRequest = new StdMutableRequest(); + } + + @Override + public PepRequestAttributes getPepRequestAttributes(Identifier categoryIdentifier) { + PepRequestAttributes pepRequestAttributes = pepRequestAttributesMapByCategory.get(categoryIdentifier); + if(pepRequestAttributes == null) { + String xmlId = generateRequestAttributesXmlId(); + StdPepRequestAttributes p = new StdPepRequestAttributes(xmlId, categoryIdentifier); + p.setIssuer(pepConfig.getIssuer()); + pepRequestAttributes = p; + pepRequestAttributesMapByCategory.put(categoryIdentifier, pepRequestAttributes); + wrappedRequest.add(pepRequestAttributes.getWrappedRequestAttributes()); + } + return pepRequestAttributes; + } + + private void map() { + if(requestObjects == null) { + throw new IllegalArgumentException("One or more arguments are null"); + } + for(Object o: requestObjects) { + if(o == null) { + throw new IllegalArgumentException("One or more arguments are null"); + } + ObjectMapper mapper = mapperRegistry.getMapper(o.getClass()); + if(mapper == null) { + throw new IllegalArgumentException("No mappers found for class: " + o.getClass().getName()); + } + mapper.map(o, this); + } + } + + @Override + public Request getWrappedRequest() { + return wrappedRequest; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequestAttributes.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequestAttributes.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequestAttributes.java new file mode 100755 index 0000000..40a0409 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequestAttributes.java @@ -0,0 +1,125 @@ +package org.openliberty.openaz.pepapi.std; + +import com.att.research.xacml.api.Identifier; +import com.att.research.xacml.api.RequestAttributes; +import com.att.research.xacml.api.XACML3; +import com.att.research.xacml.std.IdentifierImpl; +import com.att.research.xacml.std.StdAttributeValue; +import com.att.research.xacml.std.StdMutableAttribute; +import com.att.research.xacml.std.StdMutableRequestAttributes; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.PepRequestAttributes; + +import java.net.URI; +import java.util.Date; +import java.util.HashMap; +import java.util.Map; + + +final class StdPepRequestAttributes implements PepRequestAttributes { + + private static final Log log = LogFactory.getLog(StdPepRequestAttributes.class); + + private final String id; + + private final Identifier categoryIdentifier; + + private String issuer; + + private StdMutableRequestAttributes wrappedRequestAttributes; + + //Internal map to hold mutable attributes as StdMutableRequestAttributes + // does not return a mutable view of Attributes. + private Map<Identifier, StdMutableAttribute> attributeMapById; + + StdPepRequestAttributes(String id, Identifier categoryIdentifier) { + this.id = id; + this.categoryIdentifier = categoryIdentifier; + this.attributeMapById = new HashMap<Identifier, StdMutableAttribute>(); + this.wrappedRequestAttributes = new StdMutableRequestAttributes(); + this.wrappedRequestAttributes.setCategory(categoryIdentifier); + this.wrappedRequestAttributes.setXmlId(id); + } + + @Override + public Identifier getCategory() { + return categoryIdentifier; + } + + @Override + public void addAttribute(String name, Date... values) { + addAttribute(name, values, XACML3.ID_DATATYPE_DATE); + } + + @Override + public void addAttribute(String name, String... values) { + addAttribute(name, values, XACML3.ID_DATATYPE_STRING); + } + + @Override + public void addAttribute(String name, Integer... values) { + addAttribute(name, values, XACML3.ID_DATATYPE_INTEGER); + } + + @Override + public void addAttribute(String name, Boolean... values) { + addAttribute(name, values, XACML3.ID_DATATYPE_BOOLEAN); + } + + @Override + public void addAttribute(String name, Long... values) { + addAttribute(name, values, XACML3.ID_DATATYPE_INTEGER); + } + + @Override + public void addAttribute(String name, Double... values) { + addAttribute(name, values, XACML3.ID_DATATYPE_DOUBLE); + } + + @Override + public void addAttribute(String name, URI... values) { + addAttribute(name, values, XACML3.ID_DATATYPE_ANYURI); + } + + private <T> void addAttribute(String name, T[] values, Identifier dataTypeId) { + if(values == null) { + throw new IllegalArgumentException("Null attribute value provided for attribute: " + name); + } + Identifier attributeId = new IdentifierImpl(name); + StdMutableAttribute mutableAttribute = attributeMapById.get(attributeId); + if(mutableAttribute == null) { + mutableAttribute = new StdMutableAttribute(); + mutableAttribute.setAttributeId(new IdentifierImpl(name)); + mutableAttribute.setCategory(categoryIdentifier); + mutableAttribute.setIncludeInResults(false); + mutableAttribute.setIssuer(issuer == null?"":issuer); + attributeMapById.put(attributeId, mutableAttribute); + wrappedRequestAttributes.add(mutableAttribute); + } + for(T value: values) { + if(value != null) { + mutableAttribute.addValue(new StdAttributeValue<T>(dataTypeId, value)); + } + } + } + + @Override + public RequestAttributes getWrappedRequestAttributes() { + return wrappedRequestAttributes; + } + + @Override + public String getId() { + return id; + } + + public String getIssuer() { + return issuer; + } + + public void setIssuer(String issuer) { + this.issuer = issuer; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequestFactory.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequestFactory.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequestFactory.java new file mode 100755 index 0000000..a6a81b9 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepRequestFactory.java @@ -0,0 +1,40 @@ +package org.openliberty.openaz.pepapi.std; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.MapperRegistry; +import org.openliberty.openaz.pepapi.PepConfig; +import org.openliberty.openaz.pepapi.PepRequest; +import org.openliberty.openaz.pepapi.PepRequestFactory; + +import java.util.List; + + +final class StdPepRequestFactory implements PepRequestFactory { + + private static final Log logger = LogFactory.getLog(StdPepRequestFactory.class); + + private final PepConfig pepConfig; + + private final MapperRegistry mapperRegistry; + + /** + * + * @param pepConfig + */ + StdPepRequestFactory(PepConfig pepConfig, MapperRegistry mapperRegistry) { + this.pepConfig = pepConfig; + this.mapperRegistry = mapperRegistry; + } + + @Override + public PepRequest newPepRequest(Object[] objects) { + return StdPepRequest.newInstance(pepConfig, mapperRegistry, objects); + } + + @Override + public PepRequest newBulkPepRequest(List<?> associations, Object[] objects) { + return MultiRequest.newInstance(pepConfig, mapperRegistry, associations, objects); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepResponse.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepResponse.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepResponse.java new file mode 100755 index 0000000..2a19d30 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepResponse.java @@ -0,0 +1,127 @@ +package org.openliberty.openaz.pepapi.std; + +import com.att.research.xacml.api.*; +import com.att.research.xacml.api.Attribute; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.Advice; +import org.openliberty.openaz.pepapi.Obligation; +import org.openliberty.openaz.pepapi.*; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.HashMap; +import java.util.Map; + + +final class StdPepResponse implements PepResponse { + + private static final Log logger = LogFactory.getLog(StdPepResponse.class); + + private final Result wrappedResult; + + private final PepConfig pepConfig; + + private final ObligationRouter obligationRouter; + + static PepResponse newInstance(PepConfig pepConfig, ObligationRouter obligationRouter, Result result) { + return new StdPepResponse(pepConfig, obligationRouter, result); + } + + private StdPepResponse(PepConfig pepConfig, ObligationRouter obligationRouter, Result result) { + this.pepConfig = pepConfig; + this.wrappedResult = result; + this.obligationRouter = obligationRouter; + } + + @Override + public boolean allowed() throws PepException { + if(obligationRouter != null) { + obligationRouter.routeObligations(getObligations()); + } + switch(wrappedResult.getDecision()) { + case PERMIT: + return true; + case DENY: + return false; + case NOTAPPLICABLE: + return enforceBehavior(pepConfig.getNotApplicableBehavior(), "Not Applicable"); + //TODO: Handle various indeterminate status codes. + case INDETERMINATE: + case INDETERMINATE_DENY: + case INDETERMINATE_DENYPERMIT: + case INDETERMINATE_PERMIT: + Status status = wrappedResult.getStatus(); + String formatted = String.format("Decision: Indeterminate, Status Code: %s, Status Message: %s", + status.getStatusCode(), status.getStatusMessage()); + logger.error(formatted); + throw new PepException(formatted); + default: + throw new PepException("Invalid response from PDP"); + } + } + + @Override + public Map<String, Obligation> getObligations() throws PepException { + Map<String, Obligation> obligationMap = new HashMap<String, Obligation>(); + for(com.att.research.xacml.api.Obligation wrappedObligation: wrappedResult.getObligations()) { + Obligation obligation = new StdObligation(wrappedObligation); + obligationMap.put(obligation.getId(), obligation); + } + return obligationMap; + } + + @Override + public Map<String, Advice> getAdvices() throws PepException { + Map<String, Advice> adviceMap = new HashMap<String, Advice>(); + for(com.att.research.xacml.api.Advice wrappedAdvice: wrappedResult.getAssociatedAdvice()) { + Advice advice = new StdAdvice(wrappedAdvice); + adviceMap.put(advice.getId(), advice); + } + return adviceMap; + } + + @Override + public Object getAssociation() throws PepException { + return null; + } + + @Override + public Collection<Attribute> getAttributes() { + Collection<Attribute> attributes = new ArrayList<Attribute>(); + for(AttributeCategory category: wrappedResult.getAttributes()) { + attributes.addAll(category.getAttributes()); + } + return attributes; + } + + @Override + public Map<Identifier, Collection<Attribute>> getAttributesByCategory() { + Map<Identifier, Collection<Attribute>> attributesByCategory = new HashMap<Identifier, Collection<Attribute>>(); + for(AttributeCategory category: wrappedResult.getAttributes()) { + attributesByCategory.put(category.getCategory(), category.getAttributes()); + } + return attributesByCategory; + } + + @Override + public Result getWrappedResult() { + return wrappedResult; + } + + private boolean enforceBehavior( + PepResponseBehavior pepResponseBehavior, String decision) throws PepException { + switch (pepResponseBehavior) { + case RETURN_YES: + return true; + case RETURN_NO: + return false; + case THROW_EXCEPTION: + logger.info("Throwing an exception as per configured behavior for decision: " + decision); + throw new PepException("Exception being thrown based on configured " + + "behavior for decision: " + decision); + default: + throw new PepException("Invalid PepResponseBehavior"); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepResponseFactory.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepResponseFactory.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepResponseFactory.java new file mode 100755 index 0000000..627f80e --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/StdPepResponseFactory.java @@ -0,0 +1,29 @@ +package org.openliberty.openaz.pepapi.std; + +import com.att.research.xacml.api.Result; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.openliberty.openaz.pepapi.ObligationRouter; +import org.openliberty.openaz.pepapi.PepConfig; +import org.openliberty.openaz.pepapi.PepResponse; +import org.openliberty.openaz.pepapi.PepResponseFactory; + + +final class StdPepResponseFactory implements PepResponseFactory { + + private static final Log logger = LogFactory.getLog(StdPepResponseFactory.class); + + private PepConfig pepConfig; + + private ObligationRouter obligationRouter; + + StdPepResponseFactory(PepConfig pepConfig, ObligationRouter obligationRouter) { + this.pepConfig = pepConfig; + this.obligationRouter = obligationRouter; + } + + @Override + public PepResponse newPepResponse(Result result) { + return StdPepResponse.newInstance(pepConfig, obligationRouter, result); + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/SubjectMapper.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/SubjectMapper.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/SubjectMapper.java new file mode 100755 index 0000000..82c4bee --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/SubjectMapper.java @@ -0,0 +1,22 @@ +package org.openliberty.openaz.pepapi.std; + + +import org.openliberty.openaz.pepapi.Subject; + +/** + * Created by ajith on 12/11/14. + */ +public class SubjectMapper extends CategoryContainerMapper { + + public SubjectMapper() { + super(Subject.class); + } + + @Override + protected String resolveAttributeId(String attributeId) { + if(attributeId.equals(Subject.SUBJECT_ID_KEY)) { + return getPepConfig().getDefaultSubjectId(); + } + return attributeId; + } +} http://git-wip-us.apache.org/repos/asf/incubator-openaz/blob/94fcdd90/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ThreadLocalObligationStore.java ---------------------------------------------------------------------- diff --git a/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ThreadLocalObligationStore.java b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ThreadLocalObligationStore.java new file mode 100755 index 0000000..2c1d981 --- /dev/null +++ b/openaz-pep/src/main/java/org/openliberty/openaz/pepapi/std/ThreadLocalObligationStore.java @@ -0,0 +1,96 @@ +package org.openliberty.openaz.pepapi.std; + + +import org.openliberty.openaz.pepapi.Obligation; +import org.openliberty.openaz.pepapi.ObligationStore; + +import java.util.Collections; +import java.util.HashSet; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Set; + +/** + * Acts as a store for Obligation instances in the current thread of execution. + * + * @author Ajith Nair, David Laurance, Darshak Kothari + * + */ +public final class ThreadLocalObligationStore implements ObligationStore { + + private static final ThreadLocal<Map<Class<?>, Set<Obligation>>> obligationMapContainer = + new ThreadLocal<Map<Class<?>, Set<Obligation>>>(); + + private ThreadLocalObligationStore(){} + + public static ThreadLocalObligationStore newInstance() { + return new ThreadLocalObligationStore(); + } + + /** + * Set Obligations for the current thread of execution. + * + * @param obligationMap a <code>Map</code> containing <code>Obligation</code> instances keyed by ObligationHandler Class. + */ + void setObligations(Map<Class<?>, Set<Obligation>> obligationMap) { + if(obligationMap != null && !obligationMap.isEmpty()) { + obligationMapContainer.set(Collections.unmodifiableMap(obligationMap)); + }else { + obligationMapContainer.set(null); + } + } + + /** + * Returns all obligations in the current thread of execution. + * + * @return a <code>Set</code> of <code>Obligation</code> instances. + */ + public Set<Obligation> getAllObligations() { + Set<Obligation> allObligations = new HashSet<Obligation>(); + Map<Class<?>, Set<Obligation>> obligationMap = obligationMapContainer.get(); + if(obligationMap != null){ + for(Entry<Class<?>, Set<Obligation>> e: obligationMap.entrySet()){ + allObligations.addAll(e.getValue()); + } + } + return allObligations; + } + + /** + * Returns all obligations that the given ObligationHandler can handle, in the current thread of execution. + * + * @param oHandlerClass + * @return a <code>Set</code> of <code>Obligation</code> instances. + */ + @Override + public Set<Obligation> getHandlerObligations(Class<?> oHandlerClass) { + Set<Obligation> obligations = new HashSet<Obligation>(); + Map<Class<?>, Set<Obligation>> obligationMap = obligationMapContainer.get(); + if(obligationMap != null && obligationMap.get(oHandlerClass) != null){ + obligations.addAll(obligationMap.get(oHandlerClass)); + } + return obligations; + } + + + @Override + public Obligation getHandlerObligationById(Class<?> oHandlerClass, + String obligationId) { + Set<Obligation> obligations = getHandlerObligations(oHandlerClass); + if(obligations != null){ + for(Obligation obligation: obligations){ + if(obligation.getId().equals(obligationId)){ + return obligation; + } + } + } + return null; + } + + /** + * Clear all obligations in the current thread. + */ + void clear() { + obligationMapContainer.remove(); + } +}
