Author: sohil.shah(a)jboss.com Date: 2009-08-08 11:16:40 -0400 (Sat, 08 Aug 2009) New Revision: 13703 Added: modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/features/TestPolicyUpdating.java modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DynamicPolicyCollection.java Modified: modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/enforcement/EnforcementContext.java modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/enforcement/LocalEnforcementPoint.java modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/provisioning/LocalPolicyProvisioner.java modules/authorization/trunk/agent/src/test/resources/hibernate.cfg.xml modules/authorization/trunk/agent/src/test/resources/log4j.properties modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/EnterprisePolicyFinderModule.java modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/provisioning/RelationalDBPolicyStore.java modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/spi/PolicyStore.java Log: Policy Hot Deployment implementation * first success testcase....tons more to implement Modified: modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/enforcement/EnforcementContext.java =================================================================== --- modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/enforcement/EnforcementContext.java 2009-08-08 09:55:51 UTC (rev 13702) +++ modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/enforcement/EnforcementContext.java 2009-08-08 15:16:40 UTC (rev 13703) @@ -33,6 +33,7 @@ { private Map<String, Object> attributes; private boolean activateHierarchialEnforcement; + private boolean ignoreCache; public EnforcementContext() { @@ -77,5 +78,15 @@ public void activateHierarchialEnforcement() { this.activateHierarchialEnforcement = true; + } + + public boolean isIgnoreCache() + { + return ignoreCache; + } + + public void setIgnoreCache(boolean ignoreCache) + { + this.ignoreCache = ignoreCache; } } Modified: modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/enforcement/LocalEnforcementPoint.java =================================================================== --- modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/enforcement/LocalEnforcementPoint.java 2009-08-08 09:55:51 UTC (rev 13702) +++ modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/enforcement/LocalEnforcementPoint.java 2009-08-08 15:16:40 UTC (rev 13703) @@ -95,7 +95,10 @@ EnforcementResponse enforcementResponse = null; try { - enforcementResponse = this.enforcementCache.checkAccess(enforcementContext); + if(!enforcementContext.isIgnoreCache()) + { + enforcementResponse = this.enforcementCache.checkAccess(enforcementContext); + } if(enforcementResponse == null) { Modified: modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/provisioning/LocalPolicyProvisioner.java =================================================================== --- modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/provisioning/LocalPolicyProvisioner.java 2009-08-08 09:55:51 UTC (rev 13702) +++ modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/provisioning/LocalPolicyProvisioner.java 2009-08-08 15:16:40 UTC (rev 13703) @@ -22,16 +22,22 @@ package org.jboss.security.authz.agent.provisioning; import java.util.Set; +import java.util.HashSet; import org.apache.log4j.Logger; import org.jboss.security.authz.agent.services.CompositionContext; import org.jboss.security.authz.agent.services.PolicyComposer; import org.jboss.security.authz.model.Policy; +import org.jboss.security.authz.model.Attribute; import org.jboss.security.authz.model.PolicyMetaData; import org.jboss.security.authz.policy.server.PolicyServer; import org.jboss.security.authz.policy.server.PolicyServerException; +import org.jboss.security.authz.components.resource.URIResource; +import org.jboss.security.xacml.interfaces.XACMLConstants; +import org.jboss.security.xacml.interfaces.XMLSchemaConstants; + /** * This Policy Provisioner integrates with the Policy Server in the same VM. * This provides fastest provisioning option @@ -136,7 +142,38 @@ public Set<Policy> find(ProvisioningContext provisioningContext) throws ProvisioningException { - return null; + try + { + Object[] values = provisioningContext.getValues(); + if(values != null) + { + for(Object value: values) + { + if(value instanceof URIResource) + { + Set<Policy> policies = new HashSet<Policy>(); + URIResource uriResource = (URIResource)value; + Attribute attribute = new Attribute(); + attribute.setValue(uriResource.getUri().toString()); + attribute.setUri(XACMLConstants.ATTRIBUTEID_RESOURCE_ID); + attribute.setDataType(XMLSchemaConstants.DATATYPE_STRING); + + Policy policy = this.policyServer.findByResource(attribute); + if(policy != null) + { + policies.add(policy); + } + return policies; + } + } + } + return null; + } + catch (PolicyServerException pe) + { + log.error(this, pe); + throw new ProvisioningException(pe); + } } /** Added: modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/features/TestPolicyUpdating.java =================================================================== --- modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/features/TestPolicyUpdating.java (rev 0) +++ modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/features/TestPolicyUpdating.java 2009-08-08 15:16:40 UTC (rev 13703) @@ -0,0 +1,126 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.agent.features; + +import java.net.URI; +import java.util.Set; + +import org.jboss.security.authz.agent.enforcement.EnforcementContext; +import org.jboss.security.authz.agent.provisioning.ProvisioningContext; +import org.jboss.security.authz.agent.services.CompositionContext; +import org.jboss.security.authz.components.action.Read; +import org.jboss.security.authz.components.resource.URIResource; +import org.jboss.security.authz.components.subject.Identity; +import org.jboss.security.authz.components.subject.Roles; +import org.jboss.security.authz.model.Effect; +import org.jboss.security.authz.model.Policy; + +/** + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class TestPolicyUpdating extends AbstractFeatureTest +{ + public void testPolicyModification() throws Exception + { + // SetUp Resource + URIResource resource = new URIResource(); + resource.setUri(new URI("/root/level1/level2/index.html")); + + Read action = new Read(); + + Roles allowedRoles = new Roles(); + allowedRoles.addName("user"); + + for(int i=0; i<2; i++) + { + if(i > 0) + { + resource.setUri(new URI("/root/level1/level2/index.html/"+i)); + } + // Setup the Context for the Composition with these components + CompositionContext context = new CompositionContext(); + context.setPolicyTarget(resource); + context.addPolicyRule(Effect.PERMIT, action, allowedRoles, + "allowExpression"); + + // Store the policy into the Policy Server + this.provisioner.deploy(context); + } + + this.assertServerState(); + + // Go ahead and produce a RequestContext for a "Permit" Enforcement + URIResource contextResource = new URIResource(); + contextResource.setUri(new URI("/root/level1/level2/index.html")); + + // Perform enforcement + this.enforce(this.createEnforcementContext(contextResource, action), true); + + //Find the Policy using the finder + ProvisioningContext provisioningContext = new ProvisioningContext(); + provisioningContext.setAttribute("uri-resource", resource); + Set<Policy> policies = this.provisioner.find(provisioningContext); + assertTrue("Policy Not Found!!", policies!=null && policies.size()==1); + + //Make Policy Modifications and Deploy + resource.setUri(new URI("/root/level1/level2/index.html")); + CompositionContext context = new CompositionContext(); + context.setPolicyTarget(resource); + context.addPolicyRule(Effect.DENY, action, allowedRoles, + "denyExpression"); + this.provisioner.deploy(this.policyComposer.compose(context)); + + this.assertServerState(); + + //Enforce and make sure new Rules apply + //TODO: Remove This when Cache Invalidations are implemented!!! + EnforcementContext enforcementContext = this.createEnforcementContext(contextResource, action); + enforcementContext.setIgnoreCache(true); + this.enforce(enforcementContext, false); + } + // ------------------------------------------------------------------------------------------------------------------------------------------------------ + private EnforcementContext createEnforcementContext( + URIResource protectedResource, Read action) throws Exception + { + // Create an EnforcementContext + EnforcementContext context = new EnforcementContext(); + + // Enable Hierarchial Enforcement + context.activateHierarchialEnforcement(); + + // Create Resource + context.setAttribute("uri-resource", protectedResource); + + // Create Subjects + Roles roles = new Roles(); + roles.addName("user"); + context.setAttribute("roles", roles); + Identity identity = new Identity(); + identity.setName(&quot;blah(a)blah.com&quot;); + context.setAttribute("identity", identity); + + // Create Action + context.setAttribute("action", action); + + return context; + } +} Modified: modules/authorization/trunk/agent/src/test/resources/hibernate.cfg.xml =================================================================== --- modules/authorization/trunk/agent/src/test/resources/hibernate.cfg.xml 2009-08-08 09:55:51 UTC (rev 13702) +++ modules/authorization/trunk/agent/src/test/resources/hibernate.cfg.xml 2009-08-08 15:16:40 UTC (rev 13703) @@ -47,7 +47,7 @@ <property name="cache.provider_class">org.hibernate.cache.NoCacheProvider</property> <!-- Echo all executed SQL to stdout --> - <property name="show_sql">true</property> + <property name="show_sql">false</property> <!-- Drop and re-create the database schema on startup Modified: modules/authorization/trunk/agent/src/test/resources/log4j.properties =================================================================== --- modules/authorization/trunk/agent/src/test/resources/log4j.properties 2009-08-08 09:55:51 UTC (rev 13702) +++ modules/authorization/trunk/agent/src/test/resources/log4j.properties 2009-08-08 15:16:40 UTC (rev 13703) @@ -1,8 +1,8 @@ # Set root category priority to INFO and its only appender to CONSOLE. -log4j.rootCategory=DEBUG, CONSOLE +log4j.rootCategory=INFO, CONSOLE # CONSOLE is set to be a ConsoleAppender using a PatternLayout. -log4j.appender.CONSOLE.Threshold=DEBUG +log4j.appender.CONSOLE.Threshold=INFO log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout log4j.appender.CONSOLE.layout.ConversionPattern=- %m%n Modified: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java 2009-08-08 09:55:51 UTC (rev 13702) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java 2009-08-08 15:16:40 UTC (rev 13703) @@ -25,17 +25,16 @@ import org.apache.log4j.Logger; -import org.jboss.security.authz.model.DroolsRuleExpression; import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.model.PolicyMetaData; import org.jboss.security.authz.model.PolicyException; -import org.jboss.security.authz.model.Rule; -import org.jboss.security.authz.tools.GeneralTool; +import org.jboss.security.authz.model.Target; +import org.jboss.security.authz.model.AttributeExpression; +import org.jboss.security.authz.model.Attribute; import org.jboss.security.authz.policy.client.enforcement.Request; import org.jboss.security.authz.policy.client.enforcement.Response; import org.jboss.security.authz.policy.server.decision.PolicyDecisionPoint; import org.jboss.security.authz.policy.server.spi.PolicyStore; -import org.jboss.security.authz.policy.server.plugin.XACMLPolicy; import org.jboss.security.authz.policy.server.plugin.EnterprisePolicyFinderModule; import org.jboss.security.authz.policy.server.plugin.DroolsRuleManager; @@ -72,6 +71,7 @@ { this.policyFinderModule = (EnterprisePolicyFinderModule) module; this.policyFinderModule.setPolicyStore(this.policyStore); + this.policyFinderModule.setRuleManager(this.ruleManager); this.policyFinderModule.bootup(); } } @@ -117,7 +117,7 @@ this.ruleManager = ruleManager; } - // --------Decision making + // --------Enforcement Phase // services-------------------------------------------------------------------------------------------------------------------------- /** * Makes an Authorization Decision @@ -150,7 +150,7 @@ return this.policyDecisionPoint.evaluate(xml); } - // ------- Provisioning + // ------- Provisioning Phase // services----------------------------------------------------------------------------------------------------------------------------- /** * Generates a new Policy instance based on the supplied MetaData and stores @@ -162,35 +162,38 @@ public void deploy(PolicyMetaData policyMetaData) throws PolicyServerException { + Policy policy = this.findPolicy(policyMetaData); + + if (policy == null) + { + // Create a New Policy + this.policyFinderModule.newPolicy(policyMetaData); + } + else + { + // Update an existing Policy + this.policyFinderModule.updatePolicy(policy, policyMetaData); + } + } + + /** + * Deletes the specified Policy from storage + * + * @param policyUri + * unique identifier for the Policy + */ + public void deletePolicy(String policyUri) throws PolicyServerException + { try { - Policy policy = new XACMLPolicy(GeneralTool.generateUniqueId(), - policyMetaData); - - // Save the policy in the Policy Store - this.policyStore.savePolicy(policy); - - // Update the PolicyFinder's runtime state with this new policy - this.policyFinderModule.addPolicy(policy); - - // Update the DroolsRuleManager's runtime state with any Drools based - // expressions if they are part of this new policy - Set<Rule> rules = policyMetaData.getRules(); - for (Rule rule : rules) - { - Object expression = rule.getExpression(); - if (expression instanceof DroolsRuleExpression) - { - this.ruleManager.addRule((DroolsRuleExpression) expression); - } - } + this.policyFinderModule.deletePolicy(this.policyStore.readPolicy(policyUri)); } catch (PolicyException pe) { throw new PolicyServerException(pe); } } - + /** * Returns all the stored Policies for the system * @@ -209,20 +212,47 @@ } /** - * Deletes the specified Policy from storage + * Finds the Policy associated with the specified URIResource * - * @param policyUri - * unique identifier for the Policy + * @param uriResource + * @return + * @throws PolicyException */ - public void deletePolicy(String policyUri) throws PolicyServerException + public Policy findByResource(Attribute resourceAttribute) throws PolicyServerException { try { - this.policyStore.deletePolicy(policyUri); + return this.policyStore.findByResource(resourceAttribute); } catch (PolicyException pe) { throw new PolicyServerException(pe); } } + // -------------------------------------------------------------------------------------------------------------------------------------------- + private Policy findPolicy(PolicyMetaData policyMetaData) + { + Target policyTarget = policyMetaData.getTarget(); + if(policyTarget.getResourceMatches()==null || policyTarget.getResourceMatches().isEmpty()) + { + throw new IllegalArgumentException("Invalid Policy Structure. A Policy without any Resource Matching Rules is not Supported!!"); + } + + for(AttributeExpression resourceMatch: policyTarget.getResourceMatches()) + { + try + { + Policy policy = this.findByResource(resourceMatch.getAttribute()); + if(policy != null) + { + return policy; + } + } + catch(Throwable t) + { + continue; + } + } + return null; + } } Added: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DynamicPolicyCollection.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DynamicPolicyCollection.java (rev 0) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DynamicPolicyCollection.java 2009-08-08 15:16:40 UTC (rev 13703) @@ -0,0 +1,69 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.policy.server.plugin; + +import java.util.Iterator; +import java.util.TreeSet; + +import org.jboss.security.xacml.sunxacml.support.finder.PolicyCollection; +import org.jboss.security.xacml.sunxacml.AbstractPolicy; + +/** + * For now, just non-versioned version + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class DynamicPolicyCollection extends PolicyCollection +{ + /** + * Removes the specified Policy from being processed + * + * @param policy + */ + public void deactivate(String policyUri) + { + this.policies.remove(policyUri); + } + + /** + * + * @param policyUri + * @return + */ + public AbstractPolicy getPolicy(String policyUri) + { + TreeSet set = (TreeSet) (policies.get(policyUri)); + if (set == null) + { + return null; + } + + Iterator it = set.iterator(); + while (it.hasNext()) + { + AbstractPolicy policy = (AbstractPolicy) (it.next()); + return policy; + } + + return null; + } +} Modified: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/EnterprisePolicyFinderModule.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/EnterprisePolicyFinderModule.java 2009-08-08 09:55:51 UTC (rev 13702) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/EnterprisePolicyFinderModule.java 2009-08-08 15:16:40 UTC (rev 13703) @@ -28,166 +28,279 @@ import org.apache.log4j.Logger; +import org.jboss.security.authz.model.DroolsRuleExpression; import org.jboss.security.authz.model.Policy; +import org.jboss.security.authz.model.PolicyMetaData; +import org.jboss.security.authz.model.PolicyException; +import org.jboss.security.authz.model.Rule; +import org.jboss.security.authz.model.Expression; +import org.jboss.security.authz.model.DroolsRuleExpression; import org.jboss.security.authz.policy.server.spi.PolicyStore; import org.jboss.security.authz.policy.server.PolicyServerException; +import org.jboss.security.authz.tools.GeneralTool; import org.jboss.security.xacml.sunxacml.EvaluationCtx; import org.jboss.security.xacml.sunxacml.finder.PolicyFinder; import org.jboss.security.xacml.sunxacml.finder.PolicyFinderModule; import org.jboss.security.xacml.sunxacml.finder.PolicyFinderResult; import org.jboss.security.xacml.sunxacml.support.finder.PolicyReader; -import org.jboss.security.xacml.sunxacml.support.finder.PolicyCollection; import org.jboss.security.xacml.sunxacml.support.finder.TopLevelPolicyException; import org.jboss.security.xacml.sunxacml.AbstractPolicy; /** - * A production ready Enterprise Policy Finder that would be used by the Policy Server/PDP component. + * A production ready Enterprise Policy Finder that would be used by the Policy + * Server/PDP component. * - * It is designed for being production ready from a performance/scalability/clustering standpoint + * It is designed for being production ready from a + * performance/scalability/clustering standpoint * - * This particular version will provide performance enhancement by the use of a clustered cache based on JBoss Cache - * The actual storage of the policies will be done within a relational database + * This particular version will provide performance enhancement by the use of a + * clustered cache based on JBoss Cache The actual storage of the policies will + * be done within a relational database * - * This also allows for runtime modification of Security Policies without requiring any restart/refresh of the Applications + * This also allows for runtime modification of Security Policies without + * requiring any restart/refresh of the Applications * * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> - * + * + * + * TODO: Transactional Integrity and proper Concurrency when Updating the State of the Rule Engine + * */ public class EnterprisePolicyFinderModule extends PolicyFinderModule { - private static Logger log = Logger.getLogger(EnterprisePolicyFinderModule.class); - - private PolicyReader reader; - private PolicyCollection policies; + private static Logger log = Logger + .getLogger(EnterprisePolicyFinderModule.class); + + private PolicyReader reader; private PolicyStore policyStore; + private DroolsRuleManager ruleManager; + private DynamicPolicyCollection policies; + public EnterprisePolicyFinderModule() { - this.policies = new PolicyCollection(); + this.policies = new DynamicPolicyCollection(); } - + + public PolicyStore getPolicyStore() + { + return policyStore; + } + + public void setPolicyStore(PolicyStore policyStore) + { + this.policyStore = policyStore; + } + + public DroolsRuleManager getRuleManager() + { + return ruleManager; + } + + public void setRuleManager(DroolsRuleManager ruleManager) + { + this.ruleManager = ruleManager; + } + // -----------PolicyFinderModule + // Implementation------------------------------------------------------------------------------------------------------------ + /** + * Initializes this module for use by the given finder. Typically this is + * called when a <code>PDP</code> is initialized with a <code>PDPConfig</code> + * containing the given <code>PolicyFinder</code>. Because + * <code>PolicyFinderModule</code>s usually need to parse policies, and this + * requires knowing their <code>PolicyFinder<code>, + * parsing is usually done at or after this point in the lifetime + * of this module. This might also be a good time to reset any internal + * caches or temporary data. Note that this method may be called more + * than once in the lifetime of a module. + * + * @param finder + * the <code>PolicyFinder</code> using this module + */ + public void init(PolicyFinder finder) + { + this.reader = new PolicyReader(finder, java.util.logging.Logger + .getLogger(this.getClass().getName())); + } + + /** + * Returns true if the module supports finding policies based on a request + * (ie, target matching). By default this method returns false. + * + * @return true if request retrieval is supported + */ + public boolean isRequestSupported() + { + return true; + } + + /** + * Tries to find one and only one matching policy given the request + * represented by the context data. If more than one policy is found, this is + * an error and must be reported as such. If no policies are found, then an + * empty result must be returned. By default this method returns an empty + * result. This method should never return null. + * + * @param context + * the representation of the request + * + * @return the result of looking for a matching policy + */ + public PolicyFinderResult findPolicy(EvaluationCtx context) + { + try + { + AbstractPolicy policy = this.policies.getPolicy(context); + if (policy == null) + { + return new PolicyFinderResult(); + } + else + { + return new PolicyFinderResult(policy); + } + } + catch (TopLevelPolicyException e) + { + return new PolicyFinderResult(e.getStatus()); + } + } + // ------------------------------------------------------------------------------------------------------------------------------------------ public void bootup() throws PolicyServerException { try { - //Load the persisted Policies into the Finder's memory - log.info("------------------------------------------------------------------"); - log.info("Booting Up the Policy Rule Engine................................."); + // Load the persisted Policies into the Finder's memory + log + .info("------------------------------------------------------------------"); + log + .info("Booting Up the Policy Rule Engine................................."); Set<Policy> allPolicies = this.policyStore.readAllPolicies(); - if(allPolicies != null) + if (allPolicies != null) { - for(Policy policy: allPolicies) + for (Policy policy : allPolicies) { - this.addPolicy(policy); + this.injectPolicy(policy); } - log.info("Rule Engine successfully started with ["+allPolicies.size()+"] stored Policies"); - } - log.info("------------------------------------------------------------------"); + log.info("Rule Engine successfully started with [" + allPolicies.size() + + "] stored Policies"); + } + log + .info("------------------------------------------------------------------"); } - catch(Throwable t) + catch (Throwable t) { log.error(this, t); throw new PolicyServerException(t); } } - public void addPolicy(Policy policy) throws PolicyServerException + public void newPolicy(PolicyMetaData policyMetaData) throws PolicyServerException { + try + { + Policy policy = new XACMLPolicy(GeneralTool.generateUniqueId(), + policyMetaData); + + // Save the policy in the Policy Store + this.policyStore.savePolicy(policy); + + // Inject the new Policy into the Rule Engine + this.injectPolicy(policy); + + // Update the DroolsRuleManager's runtime state with any Drools based + // expressions if they are part of this new policy + Set<Rule> rules = policyMetaData.getRules(); + for (Rule rule : rules) + { + Object expression = rule.getExpression(); + if (expression instanceof DroolsRuleExpression) + { + this.ruleManager.addRule((DroolsRuleExpression) expression); + } + } + } + catch (Throwable t) + { + log.error(this, t); + throw new PolicyServerException(t); + } + } + + public void updatePolicy(Policy oldPolicy, PolicyMetaData newPolicy) throws PolicyServerException + { + this.deletePolicy(oldPolicy); + + //TODO: This hot deployment should be done out-of-band + //and new policy should then be deployed into the rule engine + this.newPolicy(newPolicy); + } + + public void deletePolicy(Policy policy) throws PolicyServerException + { + try + { + AbstractPolicy activePolicy = this.policies.getPolicy(policy.getPolicyUri()); + + //Deactivate this Policy + if(activePolicy != null) + { + //First deactivate this policy + this.policies.deactivate(policy.getPolicyUri()); + + + //Delete any DroolsExpressions associated with this Policy from the Drools Manager + if(policy.getMetaData().getRules()!=null) + { + for(Rule policyRule: policy.getMetaData().getRules()) + { + Expression ruleExpression = policyRule.getExpression(); + if(ruleExpression instanceof DroolsRuleExpression) + { + this.ruleManager.removeRule(((DroolsRuleExpression) ruleExpression).getRuleReference()); + } + } + } + + //Delete this Policy from the Policy Store + this.policyStore.deletePolicy(policy.getPolicyUri()); + } + } + catch (PolicyException pe) + { + throw new PolicyServerException(pe); + } + } + //------------------------------------------------------------------------------------------------------------------------------------------- + private void injectPolicy(Policy policy) throws PolicyServerException + { ByteArrayInputStream bos = null; try { String xacmlPolicyStr = policy.generateSystemPolicy(); bos = new ByteArrayInputStream(xacmlPolicyStr.getBytes()); - - + AbstractPolicy xacmlPolicy = this.reader.readPolicy(bos); this.policies.addPolicy(xacmlPolicy); } - catch(Exception e) + catch (Exception e) { log.error(this, e); throw new PolicyServerException(e); } finally { - if(bos != null) + if (bos != null) { try { bos.close(); - }catch(IOException ioe){} + } + catch (IOException ioe) + { + } } } - } - - public PolicyStore getPolicyStore() - { - return policyStore; - } - - public void setPolicyStore(PolicyStore policyStore) - { - this.policyStore = policyStore; - } - //-----------PolicyFinderModule Implementation------------------------------------------------------------------------------------------------------------ - /** - * Initializes this module for use by the given finder. Typically this - * is called when a <code>PDP</code> is initialized with a - * <code>PDPConfig</code> containing the given <code>PolicyFinder</code>. - * Because <code>PolicyFinderModule</code>s usually need to parse - * policies, and this requires knowing their <code>PolicyFinder<code>, - * parsing is usually done at or after this point in the lifetime - * of this module. This might also be a good time to reset any internal - * caches or temporary data. Note that this method may be called more - * than once in the lifetime of a module. - * - * @param finder the <code>PolicyFinder</code> using this module - */ - public void init(PolicyFinder finder) - { - this.reader = new PolicyReader(finder, java.util.logging.Logger.getLogger(this.getClass().getName())); - } - - /** - * Returns true if the module supports finding policies based on a - * request (ie, target matching). By default this method returns false. - * - * @return true if request retrieval is supported - */ - public boolean isRequestSupported() - { - return true; - } - - /** - * Tries to find one and only one matching policy given the request - * represented by the context data. If more than one policy is found, - * this is an error and must be reported as such. If no policies are - * found, then an empty result must be returned. By default this - * method returns an empty result. This method should never return null. - * - * @param context the representation of the request - * - * @return the result of looking for a matching policy - */ - public PolicyFinderResult findPolicy(EvaluationCtx context) - { - try - { - AbstractPolicy policy = this.policies.getPolicy(context); - if (policy == null) - { - return new PolicyFinderResult(); - } - else - { - return new PolicyFinderResult(policy); - } - } - catch (TopLevelPolicyException e) - { - return new PolicyFinderResult(e.getStatus()); - } - } + } } \ No newline at end of file Modified: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/provisioning/RelationalDBPolicyStore.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/provisioning/RelationalDBPolicyStore.java 2009-08-08 09:55:51 UTC (rev 13702) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/provisioning/RelationalDBPolicyStore.java 2009-08-08 15:16:40 UTC (rev 13703) @@ -32,7 +32,6 @@ import org.hibernate.Transaction; -import org.jboss.security.authz.components.resource.URIResource; import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.model.PolicyException; import org.jboss.security.authz.model.Attribute; @@ -196,8 +195,87 @@ * @return * @throws PolicyException */ - public Policy find(URIResource uriResource) throws PolicyException + public Policy findByResource(Attribute resourceAttribute) throws PolicyException { - return null; + Session session = null; + Transaction tx = null; + try + { + //Join or Create a New Session/Transaction + session = this.hibernateService.getCurrentSession(); + tx = session.beginTransaction(); + + Object[] result = (Object[])session.createQuery("from XACMLPolicy policy " + + "join policy.metaData.target.resourceMatches match " + + "where match.attribute.uri=? and match.attribute.value=?"). + setString(0, resourceAttribute.getUri()).setString(1, resourceAttribute.getValue()).uniqueResult(); + + if(result != null) + { + for(Object object: result) + { + if(object instanceof Policy) + { + return (Policy)object; + } + } + } + + tx.commit(); + + return null; + } + catch(Throwable t) + { + log.error(this, t); + tx.rollback(); + throw new RuntimeException(t); + } + finally + { + if(session.isOpen()) + { + session.close(); + } + } } + + /** + * Returns the Policy with the specified unique policy uri + * + * @param policyUri + * @return + * @throws PolicyException + */ + public Policy readPolicy(String policyUri) throws PolicyException + { + Session session = null; + Transaction tx = null; + try + { + //Join or Create a New Session/Transaction + session = this.hibernateService.getCurrentSession(); + tx = session.beginTransaction(); + + Policy policy = (Policy)session.createQuery("from XACMLPolicy where policyUri=?"). + setString(0, policyUri).uniqueResult(); + + tx.commit(); + + return policy; + } + catch(Throwable t) + { + log.error(this, t); + tx.rollback(); + throw new RuntimeException(t); + } + finally + { + if(session.isOpen()) + { + session.close(); + } + } + } } Modified: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/spi/PolicyStore.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/spi/PolicyStore.java 2009-08-08 09:55:51 UTC (rev 13702) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/spi/PolicyStore.java 2009-08-08 15:16:40 UTC (rev 13703) @@ -26,9 +26,8 @@ import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.model.PolicyException; +import org.jboss.security.authz.model.Attribute; -import org.jboss.security.authz.components.resource.URIResource; - /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> * @@ -42,7 +41,7 @@ * @return * @throws PolicyException */ - public Policy find(URIResource uriResource) throws PolicyException; + public Policy findByResource(Attribute resourceAttribute) throws PolicyException; /** * Returns all the stored Policies for the system @@ -50,6 +49,15 @@ * @return all the stored Policies */ public Set<Policy> readAllPolicies() throws PolicyException; + + /** + * Returns the Policy with the specified unique policy uri + * + * @param policyUri + * @return + * @throws PolicyException + */ + public Policy readPolicy(String policyUri) throws PolicyException; /** * Saves a Policy into storage. If this policy already exists in storage, then