[portal-commits] JBoss Portal SVN: r12823 - in modules/authorization/trunk: core-components-api and 6 other directories.

Author: sohil.shah(a)jboss.com Date: 2009-02-15 21:09:50 -0500 (Sun, 15 Feb 2009) New Revision: 12823 Modified: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/tools/GeneralTool.java modules/authorization/trunk/core-components-api/pom.xml modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java modules/authorization/trunk/http-profile/pom.xml modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/provisioning/TestHttpPolicyConfig.java modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml Log: first attempt at xml configuration for the http profile Modified: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/tools/GeneralTool.java =================================================================== --- modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/tools/GeneralTool.java 2009-02-14 18:35:41 UTC (rev 12822) +++ modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/tools/GeneralTool.java 2009-02-16 02:09:50 UTC (rev 12823) @@ -23,6 +23,8 @@ package org.jboss.security.authz.tools; import java.util.UUID; +import java.io.InputStream; +import java.io.IOException; /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> @@ -34,4 +36,18 @@ { return UUID.randomUUID().toString(); } + + public static String readStream(InputStream is) throws IOException + { + StringBuilder str = new StringBuilder(); + + byte[] buffer = new byte[1000]; + int len = -1; + while((len=is.read(buffer)) != -1) + { + str.append(new String(buffer, 0, len)); + } + + return str.toString(); + } } Modified: modules/authorization/trunk/core-components-api/pom.xml =================================================================== --- modules/authorization/trunk/core-components-api/pom.xml 2009-02-14 18:35:41 UTC (rev 12822) +++ modules/authorization/trunk/core-components-api/pom.xml 2009-02-16 02:09:50 UTC (rev 12823) @@ -44,7 +44,7 @@ <artifactId>maven-surefire-plugin</artifactId> <version>2.3.1</version> <configuration> - <includes> + <includes> </includes> </configuration> </plugin> Modified: modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java =================================================================== --- modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java 2009-02-14 18:35:41 UTC (rev 12822) +++ modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java 2009-02-16 02:09:50 UTC (rev 12823) @@ -50,24 +50,24 @@ //make it package-level access so that unit tests can test these rules static final String allowRule = "import java.util.HashSet\n"+ - "rule \"allowRule\"\n"+ + "rule \"{0}\"\n"+ "when\n"+ "$ruleName: String()\n"+ "$roles: HashSet()\n"+ "eval($ruleName.contains(\"roles://allowRule\"))\n"+ - "eval({0})\n"+ + "eval({1})\n"+ "then\n"+ "insert(Boolean.TRUE);\n"+ "end\n"; static final String denyRule = "import java.util.HashSet\n"+ - "rule \"denyRule\"\n"+ + "rule \"{0}\"\n"+ "when\n"+ "$ruleName: String()\n"+ "$roles: HashSet()\n"+ "eval($ruleName.contains(\"roles://denyRule\"))\n"+ - "eval({0})\n"+ + "eval({1})\n"+ "then\n"+ "insert(Boolean.TRUE);\n"+ "end\n"; @@ -132,7 +132,7 @@ } String condition = buffer.toString().trim(); String ruleLogic = MessageFormat.format(Roles.allowRule, - new Object[]{condition.substring(0, condition.length()-2).trim()}); + ruleReference, condition.substring(0, condition.length()-2).trim()); DroolsRuleExpression expression = new DroolsRuleExpression(); expression.setRuleReference(ruleReference); @@ -169,7 +169,7 @@ } String condition = buffer.toString().trim(); String ruleLogic = MessageFormat.format(Roles.denyRule, - new Object[]{condition.substring(0, condition.length()-2).trim()}); + ruleReference, condition.substring(0, condition.length()-2).trim()); DroolsRuleExpression expression = new DroolsRuleExpression(); expression.setRuleReference(ruleReference); Modified: modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java =================================================================== --- modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java 2009-02-14 18:35:41 UTC (rev 12822) +++ modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java 2009-02-16 02:09:50 UTC (rev 12823) @@ -162,7 +162,7 @@ } String condition = buffer.toString().trim(); String rule = MessageFormat.format(Roles.allowRule, - new Object[]{condition.substring(0, condition.length()-2).trim()}); + new Object[]{GeneralTool.generateUniqueId(), condition.substring(0, condition.length()-2).trim()}); return rule; } @@ -178,7 +178,7 @@ } String condition = buffer.toString().trim(); String rule = MessageFormat.format(Roles.denyRule, - new Object[]{condition.substring(0, condition.length()-2).trim()}); + new Object[]{GeneralTool.generateUniqueId(), condition.substring(0, condition.length()-2).trim()}); return rule; } Modified: modules/authorization/trunk/http-profile/pom.xml =================================================================== --- modules/authorization/trunk/http-profile/pom.xml 2009-02-14 18:35:41 UTC (rev 12822) +++ modules/authorization/trunk/http-profile/pom.xml 2009-02-16 02:09:50 UTC (rev 12823) @@ -63,8 +63,7 @@ <artifactId>maven-surefire-plugin</artifactId> <version>2.3.1</version> <configuration> - <includes> - <include>**/TestRoles.java</include> + <includes> </includes> </configuration> </plugin> Modified: modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java =================================================================== --- modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java 2009-02-14 18:35:41 UTC (rev 12822) +++ modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java 2009-02-16 02:09:50 UTC (rev 12823) @@ -40,6 +40,7 @@ import org.jboss.security.authz.components.resource.HttpResource; import org.jboss.security.authz.model.Policy; +import org.jboss.security.authz.tools.GeneralTool; import org.jboss.security.authz.policy.server.plugin.HierarchialPolicy; import org.jboss.security.authz.policy.server.spi.PolicyConfig; @@ -71,21 +72,23 @@ DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); Document document = builder.parse(xmlStream); - NodeList aclRules = document.getElementsByTagName("acl-rule"); - for(int i=0, length=aclRules.getLength(); i< length; i++) + NodeList securityConstraints = document.getElementsByTagName("security-constraint"); + for(int i=0, length=securityConstraints.getLength(); i< length; i++) { - Element aclRuleElem = (Element)aclRules.item(i); - String policyUri = aclRuleElem.getAttribute("id"); - - //Construct the HttpResource component to be used for Policy Generation - HttpResource httpResource = new HttpResource(); - this.parseTarget(httpResource, aclRuleElem); - this.parseRules(httpResource, aclRuleElem); - - //Generate the policy from the HttpResource component - Policy policy = new HierarchialPolicy(policyUri, httpResource.getPolicyMetaData()); + Element securityConstraint = (Element)securityConstraints.item(i); + Element webResourceCollection = (Element)securityConstraint.getElementsByTagName("web-resource-collection").item(0); + List<HttpResource> webResources = this.parseWebResources(webResourceCollection); - cour.add(policy); + if(webResources != null) + { + for(HttpResource policyResource: webResources) + { + //Parse role constraints + this.parseRoles(policyResource, securityConstraint.getElementsByTagName("roles")); + + cour.add(new HierarchialPolicy(GeneralTool.generateUniqueId(), policyResource.getPolicyMetaData())); + } + } } policies = cour.toArray(new Policy[0]); @@ -107,78 +110,79 @@ } }catch(IOException ioe){log.warn(this, ioe);} } - } - + } //XMLParsing---------------------------------------------------------------------------------------------------------------------------------------------------- - private void parseTarget(HttpResource httpResource, Element aclRuleElem) throws Exception - { - Element resourceElem = (Element)aclRuleElem.getElementsByTagName("resource").item(0); - Element requestUriElem = (Element)aclRuleElem.getElementsByTagName("request-uri").item(0); - - //Add RequestUri as a Resource To Match - String requestUri = requestUriElem.getTextContent(); - httpResource.setUri(new URI(requestUri)); - - //Process Parameters - NodeList parameters = resourceElem.getElementsByTagName("param"); - if(parameters != null) - { - for(int i=0, length=parameters.getLength(); i<length; i++) - { - Element parameter = (Element)parameters.item(i); - - String name = ((Element)parameter.getElementsByTagName("name").item(0)).getTextContent(); - String value = ((Element)parameter.getElementsByTagName("value").item(0)).getTextContent(); - - httpResource.addParameter(name, value); - } - } + private List<HttpResource> parseWebResources(Element webResourceCollection) throws Exception + { + List<HttpResource> webResources = new ArrayList<HttpResource>(); + + NodeList resources = webResourceCollection.getElementsByTagName("web-resource"); + if(resources != null) + { + for(int i=0; i<resources.getLength(); i++) + { + HttpResource policyResource = new HttpResource(); + Element webResource = (Element)resources.item(i); + Element urlPattern = (Element)webResource.getElementsByTagName("url-pattern").item(0); + + policyResource.setUri(new URI(urlPattern.getTextContent().trim())); + this.parseParameters(policyResource, webResource); + + webResources.add(policyResource); + } + } + + return webResources; } - private void parseRules(HttpResource httpResource, Element aclRuleElem) throws Exception - { - NodeList conditionNodes = aclRuleElem.getElementsByTagName("condition"); - if(conditionNodes != null) + private void parseParameters(HttpResource policyResource, Element webResource) throws Exception + { + //Process Parameters + Element parameters = (Element)webResource.getElementsByTagName("parameters").item(0); + NodeList params = parameters.getElementsByTagName("parameter"); + if(params != null) { - for(int i=0, length=conditionNodes.getLength(); i<length; i++) + for(int i=0, length=params.getLength(); i<length; i++) { - Element conditionElement = (Element)conditionNodes.item(i); + Element parameter = (Element)params.item(i); - //Process Roles related conditions - NodeList roleNodes = conditionElement.getElementsByTagName("role-name"); - if(roleNodes != null && roleNodes.getLength()>0) - { - this.parseRoleRules(httpResource, roleNodes); - } + String name = parameter.getAttribute("name").trim(); + String value = parameter.getTextContent().trim(); - //Process IP Ranges - /*NodeList ipNodes = conditionElement.getElementsByTagName("ip-range"); - if(ipNodes != null && ipNodes.getLength() >0) - { - this.parseIpRules(httpResource, ipNodes); - }*/ + policyResource.addParameter(name, value); } } } - private void parseRoleRules(HttpResource httpResource, NodeList roleNodes) - { - for(int j=0, length=roleNodes.getLength(); j<length; j++) - { - Element roleNameElem = (Element)roleNodes.item(j); - String roleName = roleNameElem.getTextContent(); - httpResource.addAllowed(roleName); - } - } - - /*private void parseIpRules(HttpResource httpResource, NodeList ipNodes) - { - for(int j=0; j<ipNodes.getLength(); j++) - { - Element ipElem = (Element)ipNodes.item(j); - String ipRange = ipElem.getTextContent(); - - httpResource.addAllowedIp(ipRange); - } - }*/ + private void parseRoles(HttpResource policyResource, NodeList roleNodes) throws Exception + { + if(roleNodes != null) + { + for(int i=0; i<roleNodes.getLength(); i++) + { + boolean allow = true; + Element roles = (Element)roleNodes.item(i); + + allow = Boolean.parseBoolean(roles.getAttribute("allow").trim()); + + NodeList roleNames = roles.getElementsByTagName("role-name"); + if(roleNames != null) + { + for(int j=0; j<roleNames.getLength(); j++) + { + Element roleName = (Element)roleNames.item(j); + + if(allow) + { + policyResource.addAllowed(roleName.getTextContent().trim()); + } + else + { + policyResource.addDenied(roleName.getTextContent().trim()); + } + } + } + } + } + } } Modified: modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/provisioning/TestHttpPolicyConfig.java =================================================================== --- modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/provisioning/TestHttpPolicyConfig.java 2009-02-14 18:35:41 UTC (rev 12822) +++ modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/provisioning/TestHttpPolicyConfig.java 2009-02-16 02:09:50 UTC (rev 12823) @@ -22,12 +22,23 @@ ******************************************************************************/ package org.jboss.security.authz.http.provisioning; +import java.io.InputStream; +import java.net.URI; + import junit.framework.TestCase; import org.apache.log4j.Logger; +import org.jboss.security.authz.components.action.Read; +import org.jboss.security.authz.components.resource.HttpResource; +import org.jboss.security.authz.components.subject.Roles; +import org.jboss.security.authz.enforcement.Request; +import org.jboss.security.authz.enforcement.Response; import org.jboss.security.authz.http.configuration.HttpPolicyConfig; import org.jboss.security.authz.model.Policy; +import org.jboss.security.authz.tools.GeneralTool; +import org.jboss.security.authz.policy.server.PolicyServer; +import org.jboss.security.authz.policy.server.Server; import org.jboss.security.authz.policy.server.spi.PolicyConfig; /** @@ -41,123 +52,127 @@ */ private static Logger log = Logger.getLogger(TestHttpPolicyConfig.class); + private PolicyServer policyServer; + /** - * A simple developer-friendly web tier policy that specifies: * - * "Only Root Portal User and Users in the Marketing Department of the organization must be allowed to Modify the Layout of the "Main Marketing Portal Page" - * - * Notice: This configuration is not muddled by the vast low-level details of XACML Policy representation. That part is automated by the - * PAP (Policy Administration Point) Component of the Authorization System */ - private static String simpleWebTierPolicy = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"+ - "<web-acl>"+ - "<acl-rule>"+ - "<resource>"+ - "<request-uri>/portal/admin-tool/modifyLayout</request-uri>"+ - "<params>"+ - "<param>"+ - "<name>page</name>"+ - "<value>marketing_index.html</value>"+ - "</param>"+ - "<param>"+ - "<name>action</name>"+ - "<value>update</value>"+ - "</param>"+ - "</params>"+ - "</resource>"+ - "<conditions>"+ - "<condition>"+ - "<roles>"+ - "<role-name>Root-Admin</role-name>"+ - "<role-name>Marketing Team</role-name>"+ - "</roles>"+ - "</condition>"+ - "</conditions>"+ - "</acl-rule>"+ - "</web-acl>"; - - /** - * A complex developer-friendly web tier policy that specifies: - * - * "Only Root Portal User and Users in the Marketing Department of the organization must be allowed to Modify the Layout of the "Main Marketing Portal Page - * as long as they are Logged in from a range of allowed IP addresses - * " - * - * Notice: This configuration is not muddled by the vast low-level details of XACML Policy representation. That part is automated by the - * PAP (Policy Administration Point) Component of the Authorization System - */ - private static String complexWebTierPolicy = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"+ - "<web-acl>"+ - "<acl-rule>"+ - "<resource>"+ - "<request-uri>/portal/admin-tool/modifyLayout</request-uri>"+ - "<params>"+ - "<param>"+ - "<name>page</name>"+ - "<value>marketing_index.html</value>"+ - "</param>"+ - "<param>"+ - "<name>action</name>"+ - "<value>update</value>"+ - "</param>"+ - "</params>"+ - "</resource>"+ - "<conditions>"+ - "<condition>"+ - "<roles>"+ - "<role-name>Root-Admin</role-name>"+ - "<role-name>Marketing Team</role-name>"+ - "</roles>"+ - "</condition>"+ - "<condition>"+ - "<ip-address>"+ - "<ip-range>192.168.xxx.xxx</ip-range>"+ - "</ip-address>"+ - "</condition>"+ - "</conditions>"+ - "</acl-rule>"+ - "</web-acl>"; - - /** - * - */ protected void setUp() throws Exception { + Server.bootstrap(); + this.policyServer = (PolicyServer)Server.lookup("/policy-server/PolicyServer"); } - - - protected void tearDown() throws Exception - { - } - - - public void testSimpleWebTierPolicy() throws Exception + //------------------------------------------------------------------------------------------------------------------------------------------------------ + public void testExecutiveFiles() throws Exception { - PolicyConfig config = new HttpPolicyConfig(); - Policy[] policies = config.configure(simpleWebTierPolicy); + PolicyConfig config = new HttpPolicyConfig(); + InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream("http-policy.xml"); - assertNotNull(policies); + Policy[] policies = config.configure(GeneralTool.readStream(is)); - for(int i=0; i<policies.length; i++) - { + assertNotNull(policies); + + for(int i=0; i<policies.length; i++) + { log.info("------------------------------------------------------"); - log.info(policies[i].generateXACMLPolicy()); + this.policyServer.newPolicy(policies[i].getMetaData()); log.info("------------------------------------------------------"); - } + } + + is.close(); + + //Perform an Enforcement + HttpResource incoming = new HttpResource(); + incoming.setUri(new URI("/private/executives/index.html")); + incoming.addParameter("id", "1234"); + + //Executive is allowed + this.enforce(this.createRequest(incoming, new String[]{"executive"}), true); + + //Executive is allowed but Manager is not.....Permit overrides Deny according to the Rule Combining Algorithm used for this Policy + this.enforce(this.createRequest(incoming, new String[]{"executive", "manager"}), true); + + //Manager is Not Allowed + this.enforce(this.createRequest(incoming, new String[]{"manager"}), false); + + //Anonymous is Not Allowed + this.enforce(this.createRequest(incoming, new String[]{"anonymous"}), false); } - public void testComplexWebTierPolicy() throws Exception + public void testBoardFiles() throws Exception { - PolicyConfig config = new HttpPolicyConfig(); - Policy[] policies = config.configure(complexWebTierPolicy); + PolicyConfig config = new HttpPolicyConfig(); + InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream("http-policy.xml"); - assertNotNull(policies); + Policy[] policies = config.configure(GeneralTool.readStream(is)); - for(int i=0; i<policies.length; i++) - { + assertNotNull(policies); + + for(int i=0; i<policies.length; i++) + { log.info("------------------------------------------------------"); - log.info(policies[i].generateXACMLPolicy()); + this.policyServer.newPolicy(policies[i].getMetaData()); log.info("------------------------------------------------------"); + } + + is.close(); + + //Perform an Enforcement + HttpResource incoming = new HttpResource(); + incoming.setUri(new URI("/private/board/index.html")); + incoming.addParameter("id", "5678"); + + //Executive is allowed + this.enforce(this.createRequest(incoming, new String[]{"executive"}), true); + + //Executive is allowed but Manager is not.....Permit overrides Deny according to the Rule Combining Algorithm used for this Policy + this.enforce(this.createRequest(incoming, new String[]{"executive", "manager"}), true); + + //Manager is Not Allowed + this.enforce(this.createRequest(incoming, new String[]{"manager"}), false); + + //Anonymous is Not Allowed + this.enforce(this.createRequest(incoming, new String[]{"anonymous"}), false); + } + //------------------------------------------------------------------------------------------------------------------------------------------------- + private void enforce(Request request, boolean mustBePermitted) throws Exception + { + + Response response = this.policyServer.evaluate(request); + + assertNotNull(response); + log.info("-----------------------------------"); + log.info("Decision="+response.getMessage()); + + if(mustBePermitted) + { + assertTrue("Access must be granted!!!", response.isAccessGranted()); + } + else + { + assertFalse("Access must be denied!!!", response.isAccessGranted()); + } + } + + private Request createRequest(HttpResource contextResource, String[] userRoles) throws Exception + { + //Create a RequestType + Request request = new Request(); + + //Create Subjects + Roles roles = new Roles(); + for(int i=0; i<userRoles.length; i++) + { + roles.addName(userRoles[i]); } - } + request.addSubject(roles.getSubject()); + + //Create Resource + request.addResource(contextResource.getResource()); + + //Create Action + request.setAction(new Read().getAction()); + + return request; + } } Modified: modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml =================================================================== --- modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml 2009-02-14 18:35:41 UTC (rev 12822) +++ modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml 2009-02-16 02:09:50 UTC (rev 12823) @@ -1,53 +1,50 @@ <?xml version="1.0" encoding="UTF-8"?> -<web-acl> - <acl-rule id="simplePolicy"> - <resource> - <request-uri>/portal/admin-tool/modifyLayout</request-uri> - <params> - <param> - <name>page</name> - <value>marketing_index.html</value> - </param> - <param> - <name>action</name> - <value>update</value> - </param> - </params> - </resource> - <conditions> - <condition> - <roles> - <role-name>Root-Admin</role-name> - <role-name>Marketing Team</role-name> - </roles> - </condition> - </conditions> - </acl-rule> - <acl-rule id="complexPolicy"> - <resource> - <request-uri>/portal/admin-tool/modifyLayout</request-uri> - <params> - <param> - <name>page</name> - <value>marketing_index.html</value> - </param> - <param> - <name>action</name> - <value>update</value> - </param> - </params> - </resource> - <conditions> - <condition> - <roles> - <role-name>Root-Admin</role-name> - </roles> - </condition> - <condition> - <ip-address> - <ip-range>192.168.xxx.xxx</ip-range> - </ip-address> - </condition> - </conditions> - </acl-rule> -</web-acl> \ No newline at end of file +<web-security> + <security-constraint> + <web-resource-collection> + <web-resource> + <web-resource-name>Executive Files</web-resource-name> + <url-pattern>/private/executives/*</url-pattern> + <parameters> + <parameter name="id">1234</parameter> + </parameters> + </web-resource> + <web-resource> + <web-resource-name>Board/Investor Files</web-resource-name> + <url-pattern>/private/board/*</url-pattern> + <parameters> + <parameter name="id">5678</parameter> + </parameters> + </web-resource> + </web-resource-collection> + <auth-constraint> + <!-- constaints based on user roles --> + <roles allow="true"> + <role-name>Admin</role-name> + <role-name>Executive</role-name> + </roles> + <roles allow="false"> + <role-name>Manager</role-name> + <role-name>Developer</role-name> + </roles> + + <!-- constants based on ip address of the connecting machine --> + <!-- + Still need to implement this functionality + <ip-address allow="true"> + <ip-range> + <address-from></address-from> + <address-to></address-to> + </ip-range> + </ip-address> + <ip-address allow="false"> + <ip-range> + <address-from></address-from> + <address-to></address-to> + </ip-range> + </ip-address> + --> + <!-- constraints based on data and/or time --> + </auth-constraint> + </security-constraint> +</web-security> \ No newline at end of file