This commit is contained in:
parent
57f0164e38
commit
28f1e4a662
|
@ -17,7 +17,7 @@
|
|||
</EncryptionHandler>
|
||||
<PolicyHandler class="ch.eitchnet.privilege.handler.DefaultPolicyHandler">
|
||||
<Parameters>
|
||||
<Parameter name="policyXmlFile" value="RestrictionPolicies.xml" />
|
||||
<Parameter name="policyXmlFile" value="PrivilegePolicies.xml" />
|
||||
</Parameters>
|
||||
</PolicyHandler>
|
||||
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<PrivilegePolicies>
|
||||
|
||||
<Policy name="DefaultPrivilege" class="ch.eitchnet.privilege.policy.DefaultPrivilege" />
|
||||
|
||||
</PrivilegePolicies>
|
|
@ -3,8 +3,11 @@
|
|||
|
||||
<Role name="PrivilegeAdmin" />
|
||||
<Role name="admin">
|
||||
<Privilege name="Service" />
|
||||
<Privilege name="NoRestriction" />
|
||||
</Role>
|
||||
<Role name="user" />
|
||||
<Role name="serviceExecutor">
|
||||
<Privilege name="Service" />
|
||||
</Role>
|
||||
|
||||
</PrivilegeRoles>
|
|
@ -7,8 +7,9 @@
|
|||
<State>ENABLED</State>
|
||||
<Locale>en_GB</Locale>
|
||||
<Roles>
|
||||
<Role>admin</Role>
|
||||
<Role>PrivilegeAdmin</Role>
|
||||
<Role>admin</Role>
|
||||
<Role>serviceExecutor</Role>
|
||||
</Roles>
|
||||
</User>
|
||||
|
||||
|
|
|
@ -1,10 +1,16 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<Privileges>
|
||||
|
||||
<Privilege name="Service" policy="DefaultRestriction">
|
||||
<Privilege name="NoRestriction" policy="DefaultPrivilege">
|
||||
<AllAllowed>true</AllAllowed>
|
||||
<Deny></Deny>
|
||||
<Allow></Allow>
|
||||
</Privilege>
|
||||
|
||||
<Privilege name="Service" policy="DefaultPrivilege">
|
||||
<AllAllowed>false</AllAllowed>
|
||||
<Deny></Deny>
|
||||
<Allow>ch.eitchnet.privilege.test.TestRestrictable</Allow>
|
||||
</Privilege>
|
||||
|
||||
</Privileges>
|
|
@ -1,6 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<RestrictionPolicies>
|
||||
|
||||
<Policy name="DefaultRestriction" class="ch.eitchnet.privilege.policy.DefaultRestriction" />
|
||||
|
||||
</RestrictionPolicies>
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -130,10 +130,10 @@ public class PrivilegeContainer {
|
|||
String policyHandlerClassName = policyHandlerElement.attributeValue(XmlConstants.XML_ATTR_CLASS);
|
||||
PolicyHandler policyHandler = ClassHelper.instantiateClass(policyHandlerClassName);
|
||||
|
||||
// instantiate modification handler
|
||||
Element modificationHandlerElement = containerRootElement.element(XmlConstants.XML_HANDLER_MODEL);
|
||||
String modificationHandlerClassName = modificationHandlerElement.attributeValue(XmlConstants.XML_ATTR_CLASS);
|
||||
ModelHandler modelHandler = ClassHelper.instantiateClass(modificationHandlerClassName);
|
||||
// instantiate model handler
|
||||
Element modelHandlerElement = containerRootElement.element(XmlConstants.XML_HANDLER_MODEL);
|
||||
String modelHandlerClassName = modelHandlerElement.attributeValue(XmlConstants.XML_ATTR_CLASS);
|
||||
ModelHandler modelHandler = ClassHelper.instantiateClass(modelHandlerClassName);
|
||||
|
||||
try {
|
||||
persistenceHandler.initialize(persistenceHandlerElement);
|
||||
|
@ -162,11 +162,11 @@ public class PrivilegeContainer {
|
|||
throw new PrivilegeException("PolicyHandler " + policyHandlerClassName + " could not be initialized");
|
||||
}
|
||||
try {
|
||||
modelHandler.initialize(modificationHandlerElement);
|
||||
modelHandler.initialize(modelHandlerElement);
|
||||
modelHandler.setPersistenceHandler(persistenceHandler);
|
||||
} catch (Exception e) {
|
||||
logger.error(e, e);
|
||||
throw new PrivilegeException("ModificationHandler " + modificationHandlerClassName
|
||||
throw new PrivilegeException("ModificationHandler " + modelHandlerClassName
|
||||
+ " could not be initialized");
|
||||
}
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ public class XmlConstants {
|
|||
public static final String XML_ROOT_PRIVILEGE_ROLES = "PrivilegeRoles";
|
||||
public static final String XML_ROOT_PRIVILEGES = "Privileges";
|
||||
public static final String XML_ROOT_PRIVILEGE_USERS = "PrivilegesUsers";
|
||||
public static final String XML_ROOT_RESTRICTION_POLICIES = "RestrictionPolicies";
|
||||
public static final String XML_ROOT_PRIVILEGE_POLICIES = "PrivilegePolicies";
|
||||
|
||||
public static final String XML_HANDLER_PERSISTENCE = "PersistenceHandler";
|
||||
public static final String XML_HANDLER_ENCRYPTION = "EncryptionHandler";
|
||||
|
|
|
@ -24,8 +24,9 @@ import ch.eitchnet.privilege.helper.ConfigurationHelper;
|
|||
import ch.eitchnet.privilege.helper.XmlHelper;
|
||||
import ch.eitchnet.privilege.i18n.PrivilegeException;
|
||||
import ch.eitchnet.privilege.model.Restrictable;
|
||||
import ch.eitchnet.privilege.model.internal.Privilege;
|
||||
import ch.eitchnet.privilege.model.internal.Role;
|
||||
import ch.eitchnet.privilege.policy.RestrictionPolicy;
|
||||
import ch.eitchnet.privilege.policy.PrivilegePolicy;
|
||||
|
||||
/**
|
||||
* @author rvonburg
|
||||
|
@ -33,7 +34,7 @@ import ch.eitchnet.privilege.policy.RestrictionPolicy;
|
|||
*/
|
||||
public class DefaultPolicyHandler implements PolicyHandler {
|
||||
|
||||
private Map<String, Class<RestrictionPolicy>> policyMap;
|
||||
private Map<String, Class<PrivilegePolicy>> policyMap;
|
||||
|
||||
/**
|
||||
* @see ch.eitchnet.privilege.handler.PolicyHandler#actionAllowed(ch.eitchnet.privilege.model.internal.Role,
|
||||
|
@ -48,26 +49,38 @@ public class DefaultPolicyHandler implements PolicyHandler {
|
|||
else if (restrictable == null)
|
||||
throw new PrivilegeException("Restrictable may not be null!");
|
||||
|
||||
// validate restriction key for this restrictable
|
||||
String restrictionKey = restrictable.getRestrictionKey();
|
||||
if (restrictionKey == null || restrictionKey.length() < 3) {
|
||||
// validate PrivilegeName for this restrictable
|
||||
String privilegeName = restrictable.getPrivilegeName();
|
||||
if (privilegeName == null || privilegeName.length() < 3) {
|
||||
throw new PrivilegeException(
|
||||
"The RestrictionKey may not be shorter than 3 characters. Invalid Restrictable "
|
||||
"The PrivilegeName may not be shorter than 3 characters. Invalid Restrictable "
|
||||
+ restrictable.getClass().getName());
|
||||
}
|
||||
|
||||
// get restriction policy class
|
||||
Class<RestrictionPolicy> policyClazz = policyMap.get(restrictionKey);
|
||||
if (policyClazz == null) {
|
||||
throw new PrivilegeException("No RestrictionPolicy exists for the RestrictionKey " + restrictionKey
|
||||
+ " for Restrictable " + restrictable.getClass().getName());
|
||||
// If the role does not have this privilege, then stop as another role might have this privilege
|
||||
if (!role.hasPrivilege(privilegeName)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// instantiate policy
|
||||
RestrictionPolicy policy = ClassHelper.instantiateClass(policyClazz);
|
||||
// get the privilege for this restrictable
|
||||
Privilege privilege = PrivilegeContainer.getInstance().getModelHandler().getPrivilege(privilegeName);
|
||||
if (privilege == null) {
|
||||
throw new PrivilegeException("No Privilege exists with the name " + privilegeName + " for Restrictable "
|
||||
+ restrictable.getClass().getName());
|
||||
}
|
||||
|
||||
// delegate checking to restriction policy
|
||||
return policy.actionAllowed(role, restrictable);
|
||||
// get the policy class configured for this privilege
|
||||
Class<PrivilegePolicy> policyClazz = policyMap.get(privilege.getPolicy());
|
||||
if (policyClazz == null) {
|
||||
throw new PrivilegeException("PrivilegePolicy " + privilege.getPolicy() + " does not exist for Privilege "
|
||||
+ privilegeName);
|
||||
}
|
||||
|
||||
// instantiate the policy
|
||||
PrivilegePolicy policy = ClassHelper.instantiateClass(policyClazz);
|
||||
|
||||
// delegate checking to privilege policy
|
||||
return policy.actionAllowed(role, privilege, restrictable);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -95,7 +108,7 @@ public class DefaultPolicyHandler implements PolicyHandler {
|
|||
+ policyFile.getAbsolutePath());
|
||||
}
|
||||
|
||||
policyMap = new HashMap<String, Class<RestrictionPolicy>>();
|
||||
policyMap = new HashMap<String, Class<PrivilegePolicy>>();
|
||||
|
||||
// parse policy xml file to XML document
|
||||
Element containerRootElement = XmlHelper.parseDocument(policyFile).getRootElement();
|
||||
|
@ -105,7 +118,7 @@ public class DefaultPolicyHandler implements PolicyHandler {
|
|||
String policyName = policyElement.attributeValue(XmlConstants.XML_ATTR_NAME);
|
||||
String policyClass = policyElement.attributeValue(XmlConstants.XML_ATTR_CLASS);
|
||||
|
||||
Class<RestrictionPolicy> clazz = ClassHelper.loadClass(policyClass);
|
||||
Class<PrivilegePolicy> clazz = ClassHelper.loadClass(policyClass);
|
||||
|
||||
policyMap.put(policyName, clazz);
|
||||
}
|
||||
|
|
|
@ -49,7 +49,7 @@ public interface SessionHandler extends PrivilegeContainerObject {
|
|||
public boolean isCertificateValid(Certificate certificate);
|
||||
|
||||
/**
|
||||
* @param user
|
||||
* @param username
|
||||
* @param password
|
||||
*
|
||||
* @return
|
||||
|
@ -57,5 +57,5 @@ public interface SessionHandler extends PrivilegeContainerObject {
|
|||
* @throws AccessDeniedException
|
||||
* if the user credentials are not valid
|
||||
*/
|
||||
public Certificate authenticate(String user, String password);
|
||||
public Certificate authenticate(String username, String password);
|
||||
}
|
||||
|
|
|
@ -49,7 +49,7 @@ public class BootstrapConfigurationHelper {
|
|||
|
||||
private static String hashAlgorithm = "SHA-256";
|
||||
|
||||
private static String policyXmlFile = "RestrictionPolicies.xml";
|
||||
private static String policyXmlFile = "PrivilegePolicies.xml";
|
||||
|
||||
private static String defaultPersistenceHandler = "ch.eitchnet.privilege.handler.DefaultPersistenceHandler";
|
||||
private static String defaultSessionHandler = "ch.eitchnet.privilege.handler.DefaultSessionHandler";
|
||||
|
|
|
@ -16,7 +16,7 @@ package ch.eitchnet.privilege.model;
|
|||
*/
|
||||
public interface Restrictable {
|
||||
|
||||
public String getRestrictionKey();
|
||||
public String getPrivilegeName();
|
||||
|
||||
public Object getRestrictionValue();
|
||||
public Object getPrivilegeValue();
|
||||
}
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
/*
|
||||
* Copyright (c) 2010
|
||||
*
|
||||
* Robert von Burg
|
||||
* eitch@eitchnet.ch
|
||||
*
|
||||
* All rights reserved.
|
||||
*
|
||||
*/
|
||||
|
||||
package ch.eitchnet.privilege.policy;
|
||||
|
||||
import ch.eitchnet.privilege.i18n.PrivilegeException;
|
||||
import ch.eitchnet.privilege.model.Restrictable;
|
||||
import ch.eitchnet.privilege.model.internal.Privilege;
|
||||
import ch.eitchnet.privilege.model.internal.Role;
|
||||
|
||||
/**
|
||||
* @author rvonburg
|
||||
*
|
||||
*/
|
||||
public class DefaultPrivilege implements PrivilegePolicy {
|
||||
|
||||
/**
|
||||
* @see ch.eitchnet.privilege.policy.PrivilegePolicy#actionAllowed(ch.eitchnet.privilege.model.internal.Role,
|
||||
* ch.eitchnet.privilege.model.internal.Privilege, ch.eitchnet.privilege.model.Restrictable)
|
||||
*/
|
||||
@Override
|
||||
public boolean actionAllowed(Role role, Privilege privilege, Restrictable restrictable) {
|
||||
|
||||
// validate user is not null
|
||||
if (role == null)
|
||||
throw new PrivilegeException("Role may not be null!");
|
||||
|
||||
// get the PrivilegeName
|
||||
String privilegeName = restrictable.getPrivilegeName();
|
||||
if (privilegeName == null || privilegeName.isEmpty()) {
|
||||
throw new PrivilegeException("The PrivilegeName for the Restrictable is null or empty: " + restrictable);
|
||||
}
|
||||
|
||||
// does this role have privilege for any values?
|
||||
if (privilege.isAllAllowed())
|
||||
return true;
|
||||
|
||||
// get the value on which the action is to be performed
|
||||
Object object = restrictable.getPrivilegeValue();
|
||||
|
||||
// DefaultPrivilege policy expects the privilege value to be a string
|
||||
if (!(object instanceof String)) {
|
||||
throw new PrivilegeException(Restrictable.class.getName() + " " + restrictable.getClass().getSimpleName()
|
||||
+ " has returned a non-string privilege value!");
|
||||
}
|
||||
|
||||
String privilegeValue = (String) object;
|
||||
|
||||
// first check values not allowed
|
||||
for (String denied : privilege.getDenyList()) {
|
||||
if (denied.equals(privilegeValue))
|
||||
return false;
|
||||
}
|
||||
|
||||
// now check values allowed
|
||||
for (String allowed : privilege.getAllowList()) {
|
||||
if (allowed.equals(privilegeValue))
|
||||
return true;
|
||||
}
|
||||
|
||||
// default is not allowed
|
||||
return false;
|
||||
}
|
||||
}
|
|
@ -1,80 +0,0 @@
|
|||
/*
|
||||
* Copyright (c) 2010
|
||||
*
|
||||
* Robert von Burg
|
||||
* eitch@eitchnet.ch
|
||||
*
|
||||
* All rights reserved.
|
||||
*
|
||||
*/
|
||||
|
||||
package ch.eitchnet.privilege.policy;
|
||||
|
||||
import ch.eitchnet.privilege.base.PrivilegeContainer;
|
||||
import ch.eitchnet.privilege.i18n.PrivilegeException;
|
||||
import ch.eitchnet.privilege.model.Restrictable;
|
||||
import ch.eitchnet.privilege.model.internal.Privilege;
|
||||
import ch.eitchnet.privilege.model.internal.Role;
|
||||
|
||||
/**
|
||||
* @author rvonburg
|
||||
*
|
||||
*/
|
||||
public class DefaultRestriction implements RestrictionPolicy {
|
||||
|
||||
/**
|
||||
* @see ch.eitchnet.privilege.policy.RestrictionPolicy#actionAllowed(java.lang.String,
|
||||
* ch.eitchnet.privilege.model.internal.Role, ch.eitchnet.privilege.model.Restrictable)
|
||||
*/
|
||||
@Override
|
||||
public boolean actionAllowed(Role role, Restrictable restrictable) {
|
||||
|
||||
// validate user is not null
|
||||
if (role == null)
|
||||
throw new PrivilegeException("Role may not be null!");
|
||||
|
||||
// get the restriction key
|
||||
String restrictionKey = restrictable.getRestrictionKey();
|
||||
if (restrictionKey == null || restrictionKey.isEmpty()) {
|
||||
throw new PrivilegeException("The restriction key for the Restrictable is null or empty: " + restrictable);
|
||||
}
|
||||
|
||||
// get restriction object for users role
|
||||
Privilege privilege = PrivilegeContainer.getInstance().getModelHandler().getPrivilege(restrictionKey);
|
||||
|
||||
// no restriction object means no privilege
|
||||
// TODO should default deny/allow policy be configurable?
|
||||
if (privilege == null)
|
||||
return false;
|
||||
|
||||
// does this role have privilege for any values?
|
||||
if (privilege.isAllAllowed())
|
||||
return true;
|
||||
|
||||
// get the value on which the action is to be performed
|
||||
Object object = restrictable.getRestrictionValue();
|
||||
|
||||
// DefaultRestriction policy expects the restriction value to be a string
|
||||
if (!(object instanceof String)) {
|
||||
throw new PrivilegeException(Restrictable.class.getName() + " " + restrictable.getClass().getSimpleName()
|
||||
+ " has returned a non-string restriction value!");
|
||||
}
|
||||
|
||||
String restrictionValue = (String) object;
|
||||
|
||||
// first check values not allowed
|
||||
for (String denied : privilege.getDenyList()) {
|
||||
if (denied.equals(restrictionValue))
|
||||
return false;
|
||||
}
|
||||
|
||||
// now check values allowed
|
||||
for (String allowed : privilege.getAllowList()) {
|
||||
if (allowed.equals(restrictionValue))
|
||||
return true;
|
||||
}
|
||||
|
||||
// default is not allowed
|
||||
return false;
|
||||
}
|
||||
}
|
|
@ -11,13 +11,14 @@
|
|||
package ch.eitchnet.privilege.policy;
|
||||
|
||||
import ch.eitchnet.privilege.model.Restrictable;
|
||||
import ch.eitchnet.privilege.model.internal.Privilege;
|
||||
import ch.eitchnet.privilege.model.internal.Role;
|
||||
|
||||
/**
|
||||
* @author rvonburg
|
||||
*
|
||||
*/
|
||||
public interface RestrictionPolicy {
|
||||
public interface PrivilegePolicy {
|
||||
|
||||
public boolean actionAllowed(Role role, Restrictable restrictable);
|
||||
public boolean actionAllowed(Role role, Privilege privilege, Restrictable restrictable);
|
||||
}
|
|
@ -26,6 +26,7 @@ import ch.eitchnet.privilege.handler.ModelHandler;
|
|||
import ch.eitchnet.privilege.i18n.AccessDeniedException;
|
||||
import ch.eitchnet.privilege.i18n.PrivilegeException;
|
||||
import ch.eitchnet.privilege.model.Certificate;
|
||||
import ch.eitchnet.privilege.model.Restrictable;
|
||||
import ch.eitchnet.privilege.model.UserRep;
|
||||
import ch.eitchnet.privilege.model.UserState;
|
||||
|
||||
|
@ -185,4 +186,18 @@ public class PrivilegeTest {
|
|||
PrivilegeContainer.getInstance().getModelHandler().addOrReplaceUser(certificate, userRep, null);
|
||||
logger.info("Added user bob");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testPerformRestrictable() throws Exception {
|
||||
|
||||
Certificate certificate = PrivilegeContainer.getInstance().getSessionHandler().authenticate("eitch",
|
||||
"1234567890");
|
||||
org.junit.Assert.assertTrue("Certificate is null!", certificate != null);
|
||||
|
||||
// see if eitch can perform restrictable
|
||||
Restrictable restrictable = new TestRestrictable();
|
||||
boolean actionAllowed = PrivilegeContainer.getInstance().getSessionHandler().actionAllowed(certificate,
|
||||
restrictable);
|
||||
org.junit.Assert.assertTrue("eitch may not perform restrictable!", actionAllowed);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
/*
|
||||
* Copyright (c) 2010
|
||||
*
|
||||
* Robert von Burg
|
||||
* eitch@eitchnet.ch
|
||||
*
|
||||
* All rights reserved.
|
||||
*
|
||||
*/
|
||||
|
||||
package ch.eitchnet.privilege.test;
|
||||
|
||||
import ch.eitchnet.privilege.model.Restrictable;
|
||||
|
||||
/**
|
||||
* @author rvonburg
|
||||
*
|
||||
*/
|
||||
public class TestRestrictable implements Restrictable {
|
||||
|
||||
/**@see ch.eitchnet.privilege.model.Restrictable#getPrivilegeName()
|
||||
*/
|
||||
@Override
|
||||
public String getPrivilegeName() {
|
||||
return "Service";
|
||||
}
|
||||
|
||||
/**@see ch.eitchnet.privilege.model.Restrictable#getPrivilegeValue()
|
||||
*/
|
||||
@Override
|
||||
public Object getPrivilegeValue() {
|
||||
return TestRestrictable.class.getName();
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in New Issue