[portal-commits] JBoss Portal SVN: r13457 - in modules/authorization/trunk: core-components-api/src/main/java/org/jboss/security/authz/components/subject and 2 other directories.

Author: sohil.shah(a)jboss.com Date: 2009-06-15 17:31:18 -0400 (Mon, 15 Jun 2009) New Revision: 13457 Added: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/RuleComposer.java modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/RuleComposition.java modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/TargetComposition.java modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/repository/TestPolicyComposition.java Modified: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/ComponentCategory.java modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/PolicyComposer.java modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java modules/authorization/trunk/core-components-api/src/main/resources/authz-components.xml Log: backing up Policy Composition Framework prototyping code Modified: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/ComponentCategory.java =================================================================== --- modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/ComponentCategory.java 2009-06-15 16:26:03 UTC (rev 13456) +++ modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/ComponentCategory.java 2009-06-15 21:31:18 UTC (rev 13457) @@ -21,10 +21,57 @@ */ package org.jboss.security.authz.component; +import org.jboss.security.authz.model.Target; +import org.jboss.security.authz.model.AttributeExpression; +import org.jboss.security.xacml.interfaces.XACMLConstants; + /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> */ public enum ComponentCategory { - RESOURCE, SUBJECT, ACTION, ENVIRONMENT + RESOURCE + { + String getAttributeCategory() + { + return XACMLConstants.ATTRIBUTEID_RESOURCE_ID; + } + + void setExpression(Target target,AttributeExpression expression) + { + target.addResourceMatch(expression); + } + }, + + + SUBJECT + { + String getAttributeCategory() + { + return XACMLConstants.ATTRIBUTEID_SUBJECT_ID; + } + + void setExpression(Target target, AttributeExpression expression) + { + target.addSubjectMatch(expression); + } + }, + + + ACTION + { + String getAttributeCategory() + { + return XACMLConstants.ATTRIBUTEID_ACTION_ID; + } + + void setExpression(Target target, AttributeExpression expression) + { + target.addActionMatch(expression); + } + }; + + //Define the enum behavior + abstract String getAttributeCategory(); + abstract void setExpression(Target target, AttributeExpression expression); } Modified: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/PolicyComposer.java =================================================================== --- modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/PolicyComposer.java 2009-06-15 16:26:03 UTC (rev 13456) +++ modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/PolicyComposer.java 2009-06-15 21:31:18 UTC (rev 13457) @@ -26,5 +26,5 @@ */ public class PolicyComposer { - + } Added: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/RuleComposer.java =================================================================== --- modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/RuleComposer.java (rev 0) +++ modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/RuleComposer.java 2009-06-15 21:31:18 UTC (rev 13457) @@ -0,0 +1,30 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.component; + +/** + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class RuleComposer +{ + +} Added: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/RuleComposition.java =================================================================== --- modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/RuleComposition.java (rev 0) +++ modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/RuleComposition.java 2009-06-15 21:31:18 UTC (rev 13457) @@ -0,0 +1,174 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.component; + +import java.lang.reflect.Method; +import java.lang.annotation.Annotation; + +import org.apache.log4j.Logger; + +import org.jboss.security.authz.model.Rule; +import org.jboss.security.authz.model.Expression; +import org.jboss.security.authz.model.Effect; +import org.jboss.security.authz.model.DroolsRuleExpression; +import org.jboss.security.authz.tools.GeneralTool; + +/** + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class RuleComposition +{ + private static Logger log = Logger.getLogger(RuleComposition.class); + + private Object targetComponent; + private Object logicComponent; + private String expressionName; + private Effect effect; + + public RuleComposition() + { + + } + + public Object getTargetComponent() + { + return targetComponent; + } + + public void setTargetComponent(Object targetComponent) + { + this.targetComponent = targetComponent; + } + + public Object getLogicComponent() + { + return logicComponent; + } + + public void setLogicComponent(Object logicComponent) + { + this.logicComponent = logicComponent; + } + + public Effect getEffect() + { + return effect; + } + + public void setEffect(Effect effect) + { + this.effect = effect; + } + + public String getExpressionName() + { + return expressionName; + } + + public void setExpressionName(String expressionName) + { + this.expressionName = expressionName; + } + //---------------------------------------------------------------------------------------------------------------------------------------------------------------- + public Rule compose() + { + if(this.effect == null) + { + throw new IllegalStateException("Effect is missing!!"); + } + + if(this.expressionName != null) + { + if(this.logicComponent == null) + { + throw new IllegalStateException("Logic Component is missing!!"); + } + } + + try + { + Rule rule = new Rule(); + + rule.setRuleId(GeneralTool.generateUniqueId()); + rule.setEffect(this.effect); + + //Generate the Target for this rule + if(this.targetComponent != null) + { + TargetComposition targetComposition = new TargetComposition(); + targetComposition.setTargetComponent(this.targetComponent); + rule.setTarget(targetComposition.compose()); + } + + //Generate the Logic Expression of this rule + if(this.expressionName != null) + { + rule.setExpression(this.generateExpression()); + } + + return rule; + } + catch(Exception e) + { + //TODO: handle this properly + log.error(this, e); + throw new RuntimeException(e); + } + } + //---------------------------------------------------------------------------------------------------------------------------------------------------------------- + private Expression generateExpression() throws Exception + { + DroolsRuleExpression expression = new DroolsRuleExpression(); + + //Read the LogicExpression of the Logic Component + Method expressionMethod = this.findExpression(this.logicComponent.getClass(), this.expressionName); + expressionMethod.setAccessible(true); + + String[] expressionMetaData = (String[])expressionMethod.invoke(this.logicComponent, null); + + expression.setRuleReference(expressionMetaData[0]); + expression.setRule(expressionMetaData[1]); + + return expression; + } + + private Method findExpression(Class targetClass, String expressionName) + { + Method[] declaredMethods = targetClass.getDeclaredMethods(); + if(declaredMethods != null) + { + for(Method declaredMethod: declaredMethods) + { + Annotation logicExpression = declaredMethod.getAnnotation(LogicExpression.class); + if(logicExpression != null) + { + if(declaredMethod.getName().equals(expressionName)) + { + return declaredMethod; + } + } + } + } + + return null; + } +} Added: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/TargetComposition.java =================================================================== --- modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/TargetComposition.java (rev 0) +++ modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/component/TargetComposition.java 2009-06-15 21:31:18 UTC (rev 13457) @@ -0,0 +1,160 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.component; + +import java.lang.annotation.Annotation; +import java.lang.reflect.Field; + +import org.apache.log4j.Logger; + +import org.jboss.security.authz.model.Target; +import org.jboss.security.authz.model.Attribute; +import org.jboss.security.authz.model.AttributeExpression; +import org.jboss.security.xacml.interfaces.XACMLConstants; +import org.jboss.security.xacml.interfaces.XMLSchemaConstants; + +/** + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class TargetComposition +{ + private static Logger log = Logger.getLogger(TargetComposition.class); + + private Object targetComponent; + + public TargetComposition() + { + + } + + public Object getTargetComponent() + { + return targetComponent; + } + + public void setTargetComponent(Object targetComponent) + { + this.targetComponent = targetComponent; + } + //------------------------------------------------------------------------------------------------------------------------------------------------------------------ + public Target compose() + { + if(this.targetComponent == null) + { + throw new IllegalStateException("Target Component is null!!"); + } + + try + { + return this.generateTarget(); + } + catch(Exception e) + { + //TODO: handle this properly + log.error(this, e); + throw new RuntimeException(e); + } + } + //---------------------------------------------------------------------------------------------------------------------------------------------------------------- + //TODO: Add TargetUri annotation inheritance + private Target generateTarget() throws Exception + { + Target target = new Target(); + + //Read the TargetUri + Field targetField = this.findTargetField(this.targetComponent.getClass()); + targetField.setAccessible(true); + Object targetUriObj = targetField.get(this.targetComponent); + + //Get a String representation of this URI + String uriStr = targetUriObj.toString(); + + //use the proper category for the data + ComponentCategory category = this.findComponentCategory(this.targetComponent.getClass()); + String attributeCategory = category.getAttributeCategory(); + + AttributeExpression urlExpression = new AttributeExpression(); + if (uriStr.charAt(0) == '/' && uriStr.endsWith("/*")) + { + // If URL starts with '/' and ends with "/*", use a regular + // expression to match it (In consistency with the servlet spec) + urlExpression + .setFunctionId(XACMLConstants.FUNCTION_REGEXP_STRING_MATCH); + + String uriexp = uriStr.substring(1, uriStr.length() - 2); + StringBuilder buffer = new StringBuilder(); + buffer.append("^/" + uriexp + "$|"); + buffer.append("^" + uriexp + "$|"); + buffer.append("^/" + uriexp + "/.*|"); + buffer.append("^" + uriexp + "/.*"); + + Attribute attribute = new Attribute( + attributeCategory, + XMLSchemaConstants.DATATYPE_STRING, buffer.toString()); + urlExpression.setAttribute(attribute); + } + else + { + // use an exact match + urlExpression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); + + Attribute attribute = new Attribute( + attributeCategory, + XMLSchemaConstants.DATATYPE_STRING, uriStr); + urlExpression.setAttribute(attribute); + } + + //Depending up the data category add the appropriate match expression + category.setExpression(target, urlExpression); + + return target; + } + + private ComponentCategory findComponentCategory(Class targetClass) + { + Annotation component = targetClass.getAnnotation(Component.class); + if(component != null) + { + return ((Component)component).category(); + } + + return null; + } + + private Field findTargetField(Class targetClass) + { + Field[] declaredFields = targetClass.getDeclaredFields(); + if(declaredFields != null) + { + for(Field declaredField: declaredFields) + { + Annotation targetUri = declaredField.getAnnotation(TargetUri.class); + if(targetUri != null) + { + return declaredField; + } + } + } + + return null; + } +} Modified: modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java =================================================================== --- modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java 2009-06-15 16:26:03 UTC (rev 13456) +++ modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java 2009-06-15 21:31:18 UTC (rev 13457) @@ -130,7 +130,6 @@ * * @return the rule */ - @LogicExpression public Rule allowIfUserHasRole() { if(this.getNames().isEmpty()) @@ -168,7 +167,6 @@ * * @return the rule */ - @LogicExpression public Rule denyIfUserHasRole() { if(this.getNames().isEmpty()) @@ -222,4 +220,52 @@ return subject; } + //------------------------------------------------------------------------------------------------------------------------------------------------------------ + /** + * Creates a Policy Rule suggesting the roles indicated by this object are permitted access to the 'Resource' designated in the Policy + * The User must belong to atleast one of the specified roles to gain access + * + * @return the rule + */ + @LogicExpression + public String[] allowExpression() + { + String ruleReference = "roles://allowRule/"+GeneralTool.generateUniqueId(); + + //Generate a Drools Rule Expression + StringBuffer buffer = new StringBuffer(); + for(String role: this.getNames()) + { + buffer.append("$roles.contains(\""+role.toLowerCase()+"\") || "); + } + String condition = buffer.toString().trim(); + String ruleLogic = MessageFormat.format(Roles.allowRule, + ruleReference, condition.substring(0, condition.length()-2).trim()); + + return new String[]{ruleReference, buffer.toString()}; + } + + /** + * Creates a Policy Rule suggesting the roles indicated by this object are denied access to the 'Resource' designated in the Policy + * If the user belongs to atleast one of these roles, he will be denied access + * + * @return the rule + */ + @LogicExpression + public String[] denyExpression() + { + String ruleReference = "roles://denyRule/"+GeneralTool.generateUniqueId(); + + //Generate a Drools Rule Expression + StringBuffer buffer = new StringBuffer(); + for(String role: this.getNames()) + { + buffer.append("$roles.contains(\""+role.toLowerCase()+"\") || "); + } + String condition = buffer.toString().trim(); + String ruleLogic = MessageFormat.format(Roles.denyRule, + ruleReference, condition.substring(0, condition.length()-2).trim()); + + return new String[]{ruleReference, buffer.toString()}; + } } Modified: modules/authorization/trunk/core-components-api/src/main/resources/authz-components.xml =================================================================== --- modules/authorization/trunk/core-components-api/src/main/resources/authz-components.xml 2009-06-15 16:26:03 UTC (rev 13456) +++ modules/authorization/trunk/core-components-api/src/main/resources/authz-components.xml 2009-06-15 21:31:18 UTC (rev 13457) @@ -36,8 +36,8 @@ <data>names</data> </logic-data> <logic-expressions> - <expression>permitOperationIfUserHasRole</expression> - <expression>denyOperationIfUserHasRole</expression> + <expression>allowExpression</expression> + <expression>denyExpression</expression> </logic-expressions> </logic-component> @@ -46,16 +46,6 @@ Core Rule Compositions shipped with the framework. These can be re-used and more compositions can be added depending upon Application/Profile Requirements --> - <rule-composition name="permitOperationIfUserHasRole" outcome="permit"> - <target-component>operation</target-component> - <logic-component>roles</logic-component> - </rule-composition> - - <rule-composition name="denyOperationIfUserHasRole" outcome="deny"> - <target-component>operation</target-component> - <logic-component>roles</logic-component> - </rule-composition> - <rule-composition name="permitIdentity" outcome="permit"> <target-component>identity</target-component> </rule-composition> @@ -63,4 +53,14 @@ <rule-composition name="denyIdentity" outcome="deny"> <target-component>identity</target-component> </rule-composition> + + <rule-composition name="permitRole" outcome="permit"> + <target-component>operation</target-component> + <logic-component expression="allowExpression">roles</logic-component> + </rule-composition> + + <rule-composition name="denyRole" outcome="deny"> + <target-component>operation</target-component> + <logic-component expression="denyExpression">roles</logic-component> + </rule-composition> </components> \ No newline at end of file Added: modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/repository/TestPolicyComposition.java =================================================================== --- modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/repository/TestPolicyComposition.java (rev 0) +++ modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/repository/TestPolicyComposition.java 2009-06-15 21:31:18 UTC (rev 13457) @@ -0,0 +1,126 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.components.repository; + +import java.util.Set; +import java.util.HashSet; +import java.net.URI; + +import junit.framework.TestCase; + +import org.apache.log4j.Logger; + +import org.jboss.security.authz.model.Effect; +import org.jboss.security.authz.model.Policy; +import org.jboss.security.authz.model.PolicyMetaData; +import org.jboss.security.authz.model.Target; +import org.jboss.security.authz.model.Rule; + +import org.jboss.security.authz.components.subject.Identity; +import org.jboss.security.authz.components.subject.Roles; +import org.jboss.security.authz.components.action.Read; +import org.jboss.security.authz.components.resource.URIResource; +import org.jboss.security.authz.component.RuleComposition; +import org.jboss.security.authz.component.TargetComposition; + +import org.jboss.security.authz.test.MockPolicy; + +/** + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class TestPolicyComposition extends TestCase +{ + private static Logger log = Logger.getLogger(TestPolicyComposition.class); + + protected void setUp() throws Exception + { + } + //--------------------------------------------------------------------------------------------------------------------------------------------------------------- + public void testComposePermitIdentity() throws Exception + { + URIResource uriResource = new URIResource(); + uriResource.setUri(new URI("/portal/admin-tool/modifyLayout")); + + Identity identity = new Identity(); + identity.setName("blahUser"); + + TargetComposition targetComposition = new TargetComposition(); + targetComposition.setTargetComponent(uriResource); + + RuleComposition ruleComposition = new RuleComposition(); + ruleComposition.setTargetComponent(identity); + ruleComposition.setEffect(Effect.PERMIT); + + + Target policyTarget = targetComposition.compose(); + Rule policyRule = ruleComposition.compose(); + + //Assert the State + assertNotNull("Target must not be null!!", policyTarget); + assertNotNull("Rule must not be null!!", policyRule); + + PolicyMetaData metadata = new PolicyMetaData(); + metadata.setTarget(policyTarget); + metadata.addRule(policyRule); + Policy policy = new MockPolicy("testComposePermitIdentity", metadata); + + log.info("----------------------------------------------------------------"); + log.info(policy.generateSystemPolicy()); + } + + public void testComposePermitRole() throws Exception + { + Roles roles = new Roles(); + Set<String> names = new HashSet<String>(); + names.add("admin"); + names.add("user"); + roles.setNames(names); + + URIResource uriResource = new URIResource(); + uriResource.setUri(new URI("/portal/admin-tool/modifyLayout")); + + TargetComposition targetComposition = new TargetComposition(); + targetComposition.setTargetComponent(uriResource); + + RuleComposition ruleComposition = new RuleComposition(); + ruleComposition.setEffect(Effect.PERMIT); + ruleComposition.setLogicComponent(roles); + ruleComposition.setExpressionName("allowExpression"); + ruleComposition.setTargetComponent(new Read()); + + + Target policyTarget = targetComposition.compose(); + Rule policyRule = ruleComposition.compose(); + + //Assert the State + assertNotNull("Target must not be null!!", policyTarget); + assertNotNull("Rule must not be null!!", policyRule); + + PolicyMetaData metadata = new PolicyMetaData(); + metadata.setTarget(policyTarget); + metadata.addRule(policyRule); + Policy policy = new MockPolicy("testComposePermitRole", metadata); + + log.info("----------------------------------------------------------------"); + log.info(policy.generateSystemPolicy()); + } +}