Author: sohil.shah(a)jboss.com Date: 2009-01-27 14:46:11 -0500 (Tue, 27 Jan 2009) New Revision: 12672 Modified: modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java modules/authorization/trunk/http-authz/pom.xml modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java Log: HttpResource Security Component Modified: modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java =================================================================== --- modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java 2009-01-27 16:19:08 UTC (rev 12671) +++ modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java 2009-01-27 19:46:11 UTC (rev 12672) @@ -24,17 +24,20 @@ import java.util.Map; import java.util.HashMap; -import java.util.List; -import java.util.ArrayList; import java.util.Set; +import java.util.HashSet; import org.jboss.security.authz.model.AttributeExpression; import org.jboss.security.authz.model.Effect; import org.jboss.security.authz.model.ExpressionBuilder; import org.jboss.security.authz.model.Rule; import org.jboss.security.authz.model.Target; +import org.jboss.security.authz.model.Attribute; import org.jboss.security.authz.tools.GeneralTool; +import org.jboss.security.xacml.interfaces.XACMLConstants; +import org.jboss.security.xacml.interfaces.XMLSchemaConstants; + /** * The HttpResource Policy Component represents a System Resource available via the HTTP Protocol * @@ -55,16 +58,43 @@ * The HTTP Parameters that are used to access this resource */ private Map<String, String> parameters; - + + /** + * Roles that are allowed access to this resource + */ + private Set<String> allowedRoles; + + /** + * Roles that are denied access to this resource + */ + private Set<String> deniedRoles; + + /** + * A Range/regular expression to specify client IP addresses that have access to this resource + */ + private Set<String> allowedIps; + + /** + * + */ + public HttpResource() + { + this.parameters = new HashMap<String, String>(); + this.allowedRoles = new HashSet<String>(); + this.deniedRoles = new HashSet<String>(); + this.allowedIps = new HashSet<String>(); + } + public HttpResource(String url) - { + { + this(); + if(url == null) { throw new IllegalArgumentException("URL Cannot Be Empty"); - } + } - this.url = url; - this.parameters = new HashMap<String, String>(); + this.url = url; } public Map<String, String> getParameters() @@ -89,13 +119,29 @@ { this.url = url; } + + public Set<String> getAllowedRoles() + { + return allowedRoles; + } + + public void setAllowedRoles(Set<String> allowedRoles) + { + this.allowedRoles = allowedRoles; + } + + public Set<String> getDeniedRoles() + { + return deniedRoles; + } + + public void setDeniedRoles(Set<String> deniedRoles) + { + this.deniedRoles = deniedRoles; + } public void addParameter(String name, String value) - { - if(this.parameters == null) - { - this.parameters = new HashMap<String, String>(); - } + { this.parameters.put(name, value); } @@ -103,58 +149,75 @@ { return (this.parameters != null && !this.parameters.isEmpty()); } - //------------------------------------------------------------------------------------------------------------------------------------------------------------ - /** - * Creates an expression for matching the URL of the HttpResource - * - * @return desired expression - */ - public AttributeExpression createURLExpression() + + public void addAllowedRole(String allowedRole) { - if(this.url == null) - { - throw new IllegalStateException("Http URL cannot be Empty"); - } - - return ExpressionBuilder.getInstance().createResourceIdExpression(this.url); + if(allowedRole == null || allowedRole.trim().length() == 0) + { + throw new IllegalArgumentException("Role Value Must Not Be Empty"); + } + + this.allowedRoles.add(allowedRole); } - /** - * Creates an expression for matching the URL along with its Parameters - * - * @return the desired expression - */ - public List<AttributeExpression> createURLWithParametersExpression() - { - List<AttributeExpression> expressions = new ArrayList<AttributeExpression>(); - - expressions.add(this.createURLExpression()); - if(this.parameters != null) - { - Set<String> names = this.parameters.keySet(); - for(String name: names) - { - String value = this.parameters.get(name); - - AttributeExpression expression = ExpressionBuilder.getInstance().createCustomResourceExpression(name, value); - expressions.add(expression); - } - } - - return expressions; + public void addDeniedRole(String deniedRole) + { + if(deniedRole == null || deniedRole.trim().length() == 0) + { + throw new IllegalArgumentException("Role Value Must Not Be Empty"); + } + this.deniedRoles.add(deniedRole); } + public void addAllowedIp(String allowedIp) + { + if(allowedIp == null || allowedIp.trim().length() == 0) + { + throw new IllegalArgumentException("Allowed IP Must Not Be Empty"); + } + this.allowedIps.add(allowedIp); + } + //---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + public Target getURLTarget(boolean matchAllParameters) + { + if(this.url == null || this.url.trim().length()==0) + { + throw new IllegalStateException("URL Cannot Be Empty"); + } + + Target target = new Target(); + + AttributeExpression urlExpression = ExpressionBuilder.getInstance().createResourceIdExpression(this.url); + target.addResourceMatch(urlExpression); + + if(matchAllParameters) + { + if(this.parameters != null && !this.parameters.isEmpty()) + { + Set<String> names = this.parameters.keySet(); + for(String name: names) + { + String value = this.parameters.get(name); + + AttributeExpression paramExpression = ExpressionBuilder.getInstance().createCustomResourceExpression(name, value); + target.addResourceMatch(paramExpression); + } + } + } + + return target; + } + /** - * Creates a Policy Rule suggesting the specified 'Roles' are permitted access to the 'Resource' designated in the Policy + * Creates a Policy Rule suggesting the allowed roles are permitted access to the 'Resource' designated in the Policy * - * @param roles that must be allowed access to the 'Resource' in question in the Policy - * @return the rules + * @return the rule */ - public Rule createPermittedRolesRule(String[] roles) + public Rule getPermittedRolesRule() { - if(roles == null || roles.length == 0) + if(this.allowedRoles == null || this.allowedRoles.isEmpty()) { - throw new IllegalArgumentException("Roles must be specified!!"); + return null; } Rule permitRule = new Rule(); @@ -165,7 +228,7 @@ permitRule.setTarget(ruleTarget); //Create a Subject Match Function - for(String role: roles) + for(String role: this.allowedRoles) { ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role)); } @@ -174,16 +237,15 @@ } /** - * Creates a Policy Rule suggesting the specified 'Roles' are denied access to the 'Resource' designated in the Policy + * Creates a Policy Rule suggesting the denied roles are denied access to the 'Resource' designated in the Policy * - * @param roles that must be denied access to the 'Resource' in question in the Policy - * @return the rules + * @return the role */ - public Rule createDeniedRolesRule(String[] roles) + public Rule getDeniedRolesRule() { - if(roles == null || roles.length == 0) + if(this.deniedRoles == null || this.deniedRoles.isEmpty()) { - throw new IllegalArgumentException("Roles must be specified!!"); + return null; } Rule denyRule = new Rule(); @@ -194,11 +256,39 @@ denyRule.setTarget(ruleTarget); //Create a Subject Match Function - for(String role: roles) + for(String role: this.deniedRoles) { ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role)); } return denyRule; + } + + public Rule getAllowedIpsRule() + { + if(this.allowedIps == null || this.allowedIps.isEmpty()) + { + return null; + } + + Rule rule = new Rule(); + Target ruleTarget = new Target(); + + rule.setRuleId(GeneralTool.generateUniqueId()); + rule.setEffect(Effect.PERMIT); + rule.setTarget(ruleTarget); + + for(String allowedIp: this.allowedIps) + { + AttributeExpression expression = new AttributeExpression(); + expression.setFunctionId(XACMLConstants.FUNCTION_REGEXP_IPADDRESS_MATCH); + Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_IP_ADDRESS, + XMLSchemaConstants.DATATYPE_IPADDRESS, allowedIp); + expression.setAttribute(attribute); + + rule.setExpression(expression); + } + + return rule; } } Modified: modules/authorization/trunk/http-authz/pom.xml =================================================================== --- modules/authorization/trunk/http-authz/pom.xml 2009-01-27 16:19:08 UTC (rev 12671) +++ modules/authorization/trunk/http-authz/pom.xml 2009-01-27 19:46:11 UTC (rev 12672) @@ -51,8 +51,10 @@ <artifactId>maven-surefire-plugin</artifactId> <version>2.3.1</version> <configuration> - <includes> + <includes> + <!-- <include>**/TestHttpResource.java</include> + --> <include>**/TestHttpPolicyConfig.java</include> </includes> </configuration> Modified: modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java =================================================================== --- modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java 2009-01-27 16:19:08 UTC (rev 12671) +++ modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java 2009-01-27 19:46:11 UTC (rev 12672) @@ -27,7 +27,6 @@ import java.io.InputStream; import java.util.List; import java.util.ArrayList; -import java.util.UUID; import java.util.Set; import java.util.HashSet; @@ -40,9 +39,6 @@ import org.w3c.dom.Element; import org.w3c.dom.NodeList; -import org.jboss.security.authz.model.Attribute; -import org.jboss.security.authz.model.AttributeExpression; -import org.jboss.security.authz.model.Effect; import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.model.Rule; import org.jboss.security.authz.model.Target; @@ -50,9 +46,6 @@ import org.jboss.security.authz.pap.policy.HierarchialPolicy; import org.jboss.security.authz.pap.spi.PolicyConfig; -import org.jboss.security.xacml.interfaces.XACMLConstants; -import org.jboss.security.xacml.interfaces.XMLSchemaConstants; - /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> * @@ -85,14 +78,42 @@ for(int i=0, length=aclRules.getLength(); i< length; i++) { Element aclRuleElem = (Element)aclRules.item(i); - String policyUri = aclRuleElem.getAttribute("id"); - Target target = new Target(); + String policyUri = aclRuleElem.getAttribute("id"); + + //Construct the HttpResource component to be used for Policy Generation + HttpResource httpResource = new HttpResource(); + this.parseTarget(httpResource, aclRuleElem); + this.parseRules(httpResource, aclRuleElem); + + + Target target = httpResource.getURLTarget(true); //a target with all the parameters matched + Set<Rule> rules = new HashSet<Rule>(); - Policy policy = new HierarchialPolicy(policyUri, target, rules); - this.parseTarget((HierarchialPolicy)policy, aclRuleElem); - this.parseRules((HierarchialPolicy)policy, aclRuleElem); + //Permitted Roles + Rule permittedRoles = httpResource.getPermittedRolesRule(); + if(permittedRoles != null) + { + rules.add(permittedRoles); + } + //Denied Roles + Rule deniedRoles = httpResource.getDeniedRolesRule(); + if(deniedRoles != null) + { + rules.add(deniedRoles); + } + + //AllowedIP Rules + Rule allowedIps = httpResource.getAllowedIpsRule(); + if(allowedIps != null) + { + rules.add(allowedIps); + } + + //Generate the policy from the HttpResource component + Policy policy = new HierarchialPolicy(policyUri, target, rules); + cour.add(policy); } @@ -118,14 +139,14 @@ } //XMLParsing---------------------------------------------------------------------------------------------------------------------------------------------------- - private void parseTarget(HierarchialPolicy policy, Element aclRuleElem) throws Exception + private void parseTarget(HttpResource httpResource, Element aclRuleElem) throws Exception { Element resourceElem = (Element)aclRuleElem.getElementsByTagName("resource").item(0); Element requestUriElem = (Element)aclRuleElem.getElementsByTagName("request-uri").item(0); //Add RequestUri as a Resource To Match String requestUri = requestUriElem.getTextContent(); - HttpResource httpResource = new HttpResource(requestUri); + httpResource.setUrl(requestUri); //Process Parameters NodeList parameters = resourceElem.getElementsByTagName("param"); @@ -140,23 +161,10 @@ httpResource.addParameter(name, value); } - } - - if(httpResource.hasParameters()) - { - List<AttributeExpression> exprs = httpResource.createURLWithParametersExpression(); - for(AttributeExpression expr: exprs) - { - policy.getTarget().addResourceMatch(expr); - } - } - else - { - policy.getTarget().addResourceMatch(httpResource.createURLExpression()); - } + } } - private void parseRules(HierarchialPolicy policy, Element aclRuleElem) throws Exception + private void parseRules(HttpResource httpResource, Element aclRuleElem) throws Exception { NodeList conditionNodes = aclRuleElem.getElementsByTagName("condition"); if(conditionNodes != null) @@ -169,48 +177,37 @@ NodeList roleNodes = conditionElement.getElementsByTagName("role-name"); if(roleNodes != null && roleNodes.getLength()>0) { - this.parseRoleRules(policy, roleNodes); + this.parseRoleRules(httpResource, roleNodes); } //Process IP Ranges NodeList ipNodes = conditionElement.getElementsByTagName("ip-range"); if(ipNodes != null && ipNodes.getLength() >0) { - this.parseIpRules(policy, ipNodes); + this.parseIpRules(httpResource, ipNodes); } } } } - private void parseRoleRules(HierarchialPolicy policy, NodeList roleNodes) + private void parseRoleRules(HttpResource httpResource, NodeList roleNodes) { for(int j=0, length=roleNodes.getLength(); j<length; j++) { Element roleNameElem = (Element)roleNodes.item(j); - String roleName = roleNameElem.getTextContent(); + String roleName = roleNameElem.getTextContent(); + httpResource.addAllowedRole(roleName); } } - private void parseIpRules(HierarchialPolicy policy, NodeList ipNodes) + private void parseIpRules(HttpResource httpResource, NodeList ipNodes) { for(int j=0; j<ipNodes.getLength(); j++) { Element ipElem = (Element)ipNodes.item(j); String ipRange = ipElem.getTextContent(); - Rule rule = new Rule(); - rule.setRuleId(UUID.randomUUID().toString()); - rule.setEffect(Effect.PERMIT); - - AttributeExpression expression = new AttributeExpression(); - expression.setFunctionId(XACMLConstants.FUNCTION_REGEXP_IPADDRESS_MATCH); - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_IP_ADDRESS, - XMLSchemaConstants.DATATYPE_IPADDRESS, ipRange); - expression.setAttribute(attribute); - - rule.setExpression(expression); - - policy.getRules().add(rule); + httpResource.addAllowedIp(ipRange); } - } + } } Modified: modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java =================================================================== --- modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java 2009-01-27 16:19:08 UTC (rev 12671) +++ modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java 2009-01-27 19:46:11 UTC (rev 12672) @@ -22,7 +22,6 @@ package org.jboss.security.authz.http.pap; import java.util.HashSet; -import java.util.List; import java.util.Set; import junit.framework.TestCase; @@ -31,7 +30,6 @@ import org.jboss.security.authz.components.resource.HttpResource; import org.jboss.security.authz.model.Target; -import org.jboss.security.authz.model.AttributeExpression; import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.model.Rule; import org.jboss.security.authz.pap.policy.HierarchialPolicy; @@ -44,36 +42,28 @@ { private static Logger log = Logger.getLogger(TestHttpResource.class); - public void testCreateURLExpression() throws Exception + public void testGetURLTargetNoParameters() throws Exception { HttpResource httpResource = new HttpResource("/portal/admin-tool/modifyLayout"); - AttributeExpression urlExpression = httpResource.createURLExpression(); - Target target = new Target(); - target.addResourceMatch(urlExpression); + Target target = httpResource.getURLTarget(false); - Policy policy = new HierarchialPolicy("testCreateURLExpression", target, new HashSet<Rule>()); + Policy policy = new HierarchialPolicy("testGetURLTargetNoParameters", target, new HashSet<Rule>()); log.info("------------------------------------------------------------------"); log.info(policy.generateXACMLPolicy()); } - public void testCreateURLWithParametersExpression() throws Exception + public void testGetURLTargetWithParameters() throws Exception { HttpResource httpResource = new HttpResource("/portal/admin-tool/modifyLayout"); httpResource.addParameter("test1", "test1://value"); httpResource.addParameter("test2", "test2://value"); + + Target target = httpResource.getURLTarget(true); + Policy policy = new HierarchialPolicy("testGetURLTargetWithParameters", target, new HashSet<Rule>()); - List<AttributeExpression> parameterExpressions = httpResource.createURLWithParametersExpression(); - Target target = new Target(); - for(AttributeExpression expression: parameterExpressions) - { - target.addResourceMatch(expression); - } - - Policy policy = new HierarchialPolicy("testCreateURLWithParametersExpression", target, new HashSet<Rule>()); - log.info("------------------------------------------------------------------"); log.info(policy.generateXACMLPolicy()); } @@ -83,29 +73,37 @@ HttpResource httpResource = new HttpResource("/portal/admin-tool/modifyLayout"); httpResource.addParameter("test1", "test1://value"); httpResource.addParameter("test2", "test2://value"); + httpResource.addAllowedRole("admin"); + httpResource.addDeniedRole("anonymous"); + + Target target = httpResource.getURLTarget(true); + Set<Rule> rules = new HashSet<Rule>(); + rules.add(httpResource.getPermittedRolesRule()); + rules.add(httpResource.getDeniedRolesRule()); - //Resource expression - List<AttributeExpression> parameterExpressions = httpResource.createURLWithParametersExpression(); - Target target = new Target(); - for(AttributeExpression expression: parameterExpressions) - { - target.addResourceMatch(expression); - } + Policy policy = new HierarchialPolicy("testRoleRules", target, rules); - //Role rule + log.info("------------------------------------------------------------------"); + log.info(policy.generateXACMLPolicy()); + } + + public void testIPRules() throws Exception + { + HttpResource httpResource = new HttpResource("/portal/admin-tool/modifyLayout"); + httpResource.addParameter("test1", "test1://value"); + httpResource.addParameter("test2", "test2://value"); + httpResource.addAllowedRole("admin"); + httpResource.addDeniedRole("anonymous"); + httpResource.addAllowedIp("192.168.x.x"); + + Target target = httpResource.getURLTarget(true); Set<Rule> rules = new HashSet<Rule>(); + rules.add(httpResource.getPermittedRolesRule()); + rules.add(httpResource.getDeniedRolesRule()); + rules.add(httpResource.getAllowedIpsRule()); - //Permit rule - Rule permittedRoles = httpResource.createPermittedRolesRule(new String[]{"admin1", "admin2"}); - rules.add(permittedRoles); + Policy policy = new HierarchialPolicy("testIPRules", target, rules); - //Deny rule - Rule deniedRoles = httpResource.createDeniedRolesRule(new String[]{"anonymous", "user"}); - rules.add(deniedRoles); - - - Policy policy = new HierarchialPolicy("testRoleRules", target, rules); - log.info("------------------------------------------------------------------"); log.info(policy.generateXACMLPolicy()); }