Author: sohil.shah(a)jboss.com Date: 2009-02-06 16:51:50 -0500 (Fri, 06 Feb 2009) New Revision: 12790 Added: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Roles.java Removed: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Role.java Modified: modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/xacml/JAXBEncoder.java modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Identity.java modules/authorization/trunk/core-components/src/test/java/org/jboss/security/authz/components/subject/TestIdentity.java Log: code backup Modified: modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/xacml/JAXBEncoder.java =================================================================== --- modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/xacml/JAXBEncoder.java 2009-02-06 14:53:56 UTC (rev 12789) +++ modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/xacml/JAXBEncoder.java 2009-02-06 21:51:50 UTC (rev 12790) @@ -21,12 +21,20 @@ */ package org.jboss.security.authz.xacml; +import java.io.IOException; +import java.io.OutputStream; + +import javax.xml.bind.JAXB; +import javax.xml.bind.JAXBElement; + import org.jboss.security.xacml.core.model.context.AttributeType; import org.jboss.security.xacml.core.model.context.AttributeValueType; import org.jboss.security.xacml.core.model.context.SubjectType; import org.jboss.security.xacml.core.model.context.ResourceType; import org.jboss.security.xacml.core.model.context.ActionType; import org.jboss.security.xacml.core.model.context.EnvironmentType; +import org.jboss.security.xacml.core.model.policy.ObjectFactory; +import org.jboss.security.xacml.core.model.policy.PolicyType; import org.jboss.security.authz.model.Attribute; import org.jboss.security.authz.model.Subject; @@ -149,4 +157,9 @@ return jaxbObject; } + + public static void marshall(OutputStream os, Subject subject) throws IOException + { + JAXB.marshal(JAXBEncoder.encode(subject), os); + } } Modified: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Identity.java =================================================================== --- modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Identity.java 2009-02-06 14:53:56 UTC (rev 12789) +++ modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Identity.java 2009-02-06 21:51:50 UTC (rev 12790) @@ -22,14 +22,13 @@ ******************************************************************************/ package org.jboss.security.authz.components.subject; -import org.jboss.security.authz.model.Attribute; import org.jboss.security.authz.model.AttributeExpression; import org.jboss.security.authz.model.Effect; import org.jboss.security.authz.model.Rule; import org.jboss.security.authz.model.Target; import org.jboss.security.authz.model.Subject; +import org.jboss.security.authz.model.Attribute; import org.jboss.security.authz.tools.GeneralTool; -import org.jboss.security.authz.xacml.ExpressionBuilder; import org.jboss.security.xacml.interfaces.XACMLConstants; import org.jboss.security.xacml.interfaces.XMLSchemaConstants; @@ -50,10 +49,6 @@ */ private String name; - /** - * Authentication Method used to Authenticate this Identity - */ - private String authenticationMethod; public Identity() { @@ -68,25 +63,14 @@ public void setName(String name) { this.name = name; - } - - - public String getAuthenticationMethod() - { - return authenticationMethod; - } - - public void setAuthenticationMethod(String authenticationMethod) - { - this.authenticationMethod = authenticationMethod; - } + } //--------Services for Policy Generation---------------------------------------------------------------------------------------------------------------------------------------------------- /** * Creates a Rule to Allow Access to this Identity * * @return rule that Allows Access to this Identity */ - public Rule getAllowIdentityRule() + public Rule allow() { if(this.name == null || this.name.trim().length() == 0) { @@ -94,14 +78,11 @@ } Rule rule = new Rule(); - Target target = new Target(); rule.setRuleId(GeneralTool.generateUniqueId()); rule.setEffect(Effect.PERMIT); - rule.setTarget(target); + rule.setTarget(this.getIdentityTarget()); - target.addSubjectMatch(ExpressionBuilder.getInstance().createIdentityExpression(this.name)); - return rule; } @@ -110,7 +91,7 @@ * * @return rule that Denies Access to this Identity */ - public Rule getDenyIdentityRule() + public Rule deny() { if(this.name == null || this.name.trim().length() == 0) { @@ -118,93 +99,49 @@ } Rule rule = new Rule(); - Target target = new Target(); rule.setRuleId(GeneralTool.generateUniqueId()); rule.setEffect(Effect.DENY); - rule.setTarget(target); + rule.setTarget(this.getIdentityTarget()); - target.addSubjectMatch(ExpressionBuilder.getInstance().createIdentityExpression(this.name)); - return rule; } /** - * Creates a Rule to Allow Access to this Identity if User is authenticated with the Authentication Method + * Creates a Target that produces a Policy Match if the Input Subject has an Identity by the same 'Name' as this Identity * - * @return rule that Allows Access if User of this Identity is authenticated by this Authentication Method + * @return target */ - public Rule getAllowAuthMethodRule() + private Target getIdentityTarget() { - if(this.name == null || this.name.trim().length() == 0) - { - throw new IllegalStateException("Identity Name Is Missing!!"); - } - - if(this.authenticationMethod == null || this.authenticationMethod.trim().length() == 0) - { - throw new IllegalStateException("Authentication Method Is Missing!!"); - } - - Rule rule = new Rule(); Target target = new Target(); - - rule.setRuleId(GeneralTool.generateUniqueId()); - rule.setEffect(Effect.PERMIT); - rule.setTarget(target); - - target.addSubjectMatch(ExpressionBuilder.getInstance().createIdentityExpression(this.name)); AttributeExpression expression = new AttributeExpression(); expression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_AUTHENTICATION_METHOD, - XMLSchemaConstants.DATATYPE_STRING, this.authenticationMethod); + Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_SUBJECT_ID, + XMLSchemaConstants.DATATYPE_STRING, this.name); expression.setAttribute(attribute); - rule.setExpression(expression); - - return rule; + + target.addSubjectMatch(expression); + return target; } - + //------------Services for RequestContext Generation-------------------------------------------------------------------------------------------------------------------- /** - * Creates a Rule to Deny Access to this Identity if User is authenticated with the Authentication Method + * Creates a Subject for the RequestContext with this Identity * - * @return rule that Allows Access if User of this Identity is authenticated by this Authentication Method + * @return subject */ - public Rule getDenyAuthMethodRule() + public Subject getSubject() { - if(this.name == null || this.name.trim().length() == 0) - { - throw new IllegalStateException("Identity Name Is Missing!!"); - } - - if(this.authenticationMethod == null || this.authenticationMethod.trim().length() == 0) - { - throw new IllegalStateException("Authentication Method Is Missing!!"); - } - - Rule rule = new Rule(); - Target target = new Target(); - - rule.setRuleId(GeneralTool.generateUniqueId()); - rule.setEffect(Effect.DENY); - rule.setTarget(target); - - target.addSubjectMatch(ExpressionBuilder.getInstance().createIdentityExpression(this.name)); - - AttributeExpression expression = new AttributeExpression(); - expression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_AUTHENTICATION_METHOD, - XMLSchemaConstants.DATATYPE_STRING, this.authenticationMethod); - expression.setAttribute(attribute); - rule.setExpression(expression); - - return rule; - } - //------------Services for RequestContext Generation-------------------------------------------------------------------------------------------------------------------- - public Subject getIdentitySubject() - { Subject subject = new Subject(); + subject.setCategory(XACMLConstants.ATTRIBUTEID_ACCESS_SUBJECT); + Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_SUBJECT_ID, + XMLSchemaConstants.DATATYPE_STRING, + this.name + ); + subject.addAttribute(attribute); + return subject; } } Deleted: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Role.java =================================================================== --- modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Role.java 2009-02-06 14:53:56 UTC (rev 12789) +++ modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Role.java 2009-02-06 21:51:50 UTC (rev 12790) @@ -1,125 +0,0 @@ -/****************************************************************************** - * JBoss, a division of Red Hat * - * Copyright 2006, Red Hat Middleware, LLC, and individual * - * contributors as indicated by the @authors tag. See the * - * copyright.txt in the distribution for a full listing of * - * individual contributors. * - * * - * This is free software; you can redistribute it and/or modify it * - * under the terms of the GNU Lesser General Public License as * - * published by the Free Software Foundation; either version 2.1 of * - * the License, or (at your option) any later version. * - * * - * This software is distributed in the hope that it will be useful, * - * but WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * - * Lesser General Public License for more details. * - * * - * You should have received a copy of the GNU Lesser General Public * - * License along with this software; if not, write to the Free * - * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * - * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * - ******************************************************************************/ -package org.jboss.security.authz.components.subject; - -import org.jboss.security.authz.model.Attribute; -import org.jboss.security.authz.model.AttributeExpression; -import org.jboss.security.authz.model.Rule; -import org.jboss.security.authz.model.Target; -import org.jboss.security.authz.tools.GeneralTool; -import org.jboss.security.authz.model.Effect; -import org.jboss.security.xacml.interfaces.XACMLConstants; -import org.jboss.security.xacml.interfaces.XMLSchemaConstants; - -/** - * The Role Policy Component represents the "Roles" that are assigned to users of a System - * - * This Component provides an easy to use Developer API for generating commonly used Expressions/Logic related to Role information that must be - * represented within an Authorization Policy - * - * - * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> - * - */ -public class Role -{ - /** - * Role Name - */ - private String name; - - public Role() - { - - } - - public String getName() - { - return name; - } - - public void setName(String name) - { - this.name = name; - } - //------------------------------------------------------------------------------------------------------------------------------------------------------------ - /** - * Creates a Rule that Allows Access if the Identity/User in question Belongs to the specified Role - * - * @return the rule - */ - public Rule getAllowUserInRole() - { - if(this.name == null || this.name.trim().length() == 0) - { - throw new IllegalStateException("Role is not specified!!"); - } - - Rule rule = new Rule(); - Target target = new Target(); - - rule.setRuleId(GeneralTool.generateUniqueId()); - rule.setEffect(Effect.PERMIT); - rule.setTarget(target); - - - AttributeExpression expression = new AttributeExpression(); - expression.setFunctionId(XACMLConstants.FUNCTION_STRING_IS_IN); - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ROLE, - XMLSchemaConstants.DATATYPE_STRING, this.name); - expression.setAttribute(attribute); - rule.setExpression(expression); - - return rule; - } - - /** - * Creates a Rule that Denies Access if the Identity/User in question Belongs to the specified Role - * - * @return the rule - */ - public Rule getDenyUserInRole() - { - if(this.name == null || this.name.trim().length() == 0) - { - throw new IllegalStateException("Role is not specified!!"); - } - - Rule rule = new Rule(); - Target target = new Target(); - - rule.setRuleId(GeneralTool.generateUniqueId()); - rule.setEffect(Effect.DENY); - rule.setTarget(target); - - - AttributeExpression expression = new AttributeExpression(); - expression.setFunctionId(XACMLConstants.FUNCTION_STRING_IS_IN); - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ROLE, - XMLSchemaConstants.DATATYPE_STRING, this.name); - expression.setAttribute(attribute); - rule.setExpression(expression); - - return rule; - } -} Copied: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Roles.java (from rev 12785, modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Role.java) =================================================================== --- modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Roles.java (rev 0) +++ modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Roles.java 2009-02-06 21:51:50 UTC (rev 12790) @@ -0,0 +1,204 @@ +/****************************************************************************** + * JBoss, a division of Red Hat * + * Copyright 2006, Red Hat Middleware, LLC, and individual * + * contributors as indicated by the @authors tag. See the * + * copyright.txt in the distribution for a full listing of * + * individual contributors. * + * * + * This is free software; you can redistribute it and/or modify it * + * under the terms of the GNU Lesser General Public License as * + * published by the Free Software Foundation; either version 2.1 of * + * the License, or (at your option) any later version. * + * * + * This software is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * + * Lesser General Public License for more details. * + * * + * You should have received a copy of the GNU Lesser General Public * + * License along with this software; if not, write to the Free * + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * + ******************************************************************************/ +package org.jboss.security.authz.components.subject; + +import java.text.MessageFormat; +import java.util.Set; +import java.util.HashSet; + +import org.jboss.security.authz.model.Attribute; +import org.jboss.security.authz.model.DroolsRuleExpression; +import org.jboss.security.authz.model.Rule; +import org.jboss.security.authz.model.Subject; +import org.jboss.security.authz.tools.GeneralTool; +import org.jboss.security.authz.model.Effect; +import org.jboss.security.xacml.interfaces.XACMLConstants; +import org.jboss.security.xacml.interfaces.XMLSchemaConstants; + +/** + * The Role Policy Component represents the "Roles" that are assigned to users of a System + * + * This Component provides an easy to use Developer API for generating commonly used Expressions/Logic related to Role information that must be + * represented within an Authorization Policy + * + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + * + */ +public class Roles +{ + //make it package-level access so that unit tests can test these rules + static final String allowRule = + "import java.util.HashSet\n"+ + "rule \"allowRule\"\n"+ + "when\n"+ + "$ruleName: String()\n"+ + "$roles: HashSet()\n"+ + "eval($ruleName.contains(\"roles://allowRule\"))\n"+ + "eval({0})\n"+ + "then\n"+ + "insert(Boolean.TRUE);\n"+ + "end\n"; + + static final String denyRule = + "import java.util.HashSet\n"+ + "rule \"denyRule\"\n"+ + "when\n"+ + "$ruleName: String()\n"+ + "$roles: HashSet()\n"+ + "eval($ruleName.contains(\"roles://denyRule\"))\n"+ + "eval({0})\n"+ + "then\n"+ + "insert(Boolean.TRUE);\n"+ + "end\n"; + + /** + * Role Names + */ + private Set<String> names; + + public Roles() + { + + } + + public Set<String> getNames() + { + if(this.names == null) + { + this.names = new HashSet<String>(); + } + return this.names; + } + + public void setNames(Set<String> names) + { + this.names = names; + } + + public void addName(String name) + { + if(name == null || name.trim().length() == 0) + { + throw new IllegalArgumentException("Role Name should not be empty!!"); + } + this.names.add(name); + } + //-------Services for Policy Generation----------------------------------------------------------------------------------------------------------------------------------------------------- + /** + * Creates a Policy Rule suggesting the roles indicated by this object are permitted access to the 'Resource' designated in the Policy + * The User must belong to atleast one of the specified roles to gain access + * + * @return the rule + */ + public Rule allow() + { + if(this.getNames().isEmpty()) + { + throw new IllegalStateException("The List of Allowed Roles must not be empty!!"); + } + + Rule rule = new Rule(); + + String ruleReference = "roles://allowRule/"+GeneralTool.generateUniqueId(); + rule.setRuleId(ruleReference); + rule.setEffect(Effect.PERMIT); + + //Generate a Drools Rule Expression + StringBuffer buffer = new StringBuffer(); + for(String role: this.getNames()) + { + buffer.append("$roles.contains(\""+role.toLowerCase()+"\") || "); + } + String condition = buffer.toString().trim(); + String ruleLogic = MessageFormat.format(Roles.allowRule, + new Object[]{condition.substring(0, condition.length()-2).trim()}); + + DroolsRuleExpression expression = new DroolsRuleExpression(); + expression.setRuleReference(ruleReference); + expression.setRule(ruleLogic); + rule.setExpression(expression); + + return rule; + } + + /** + * Creates a Policy Rule suggesting the roles indicated by this object are denied access to the 'Resource' designated in the Policy + * If the user belongs to atleast one of these roles, he will be denied access + * + * @return the rule + */ + public Rule deny() + { + if(this.getNames().isEmpty()) + { + throw new IllegalStateException("The List of Denied Roles must not be empty!!"); + } + + Rule rule = new Rule(); + + String ruleReference = "roles://denyRule/"+GeneralTool.generateUniqueId(); + rule.setRuleId(ruleReference); + rule.setEffect(Effect.DENY); + + //Generate a Drools Rule Expression + StringBuffer buffer = new StringBuffer(); + for(String role: this.getNames()) + { + buffer.append("$roles.contains(\""+role.toLowerCase()+"\") || "); + } + String condition = buffer.toString().trim(); + String ruleLogic = MessageFormat.format(Roles.denyRule, + new Object[]{condition.substring(0, condition.length()-2).trim()}); + + DroolsRuleExpression expression = new DroolsRuleExpression(); + expression.setRuleReference(ruleReference); + expression.setRule(ruleLogic); + rule.setExpression(expression); + + return rule; + } + //--------Services for RequestContext Generation----------------------------------------------------------------------------------------------------------- + /** + * Creates a Subject for the RequestContext with these Roles + * + * @return subject + */ + public Subject getSubject() + { + Subject subject = new Subject(); + + subject.setCategory(XACMLConstants.ATTRIBUTEID_ACCESS_SUBJECT); + + for(String name: this.getNames()) + { + Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ROLE, + XMLSchemaConstants.DATATYPE_STRING, + name + ); + subject.addAttribute(attribute); + } + + return subject; + } +} Property changes on: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/subject/Roles.java ___________________________________________________________________ Name: svn:mergeinfo + Modified: modules/authorization/trunk/core-components/src/test/java/org/jboss/security/authz/components/subject/TestIdentity.java =================================================================== --- modules/authorization/trunk/core-components/src/test/java/org/jboss/security/authz/components/subject/TestIdentity.java 2009-02-06 14:53:56 UTC (rev 12789) +++ modules/authorization/trunk/core-components/src/test/java/org/jboss/security/authz/components/subject/TestIdentity.java 2009-02-06 21:51:50 UTC (rev 12790) @@ -32,7 +32,7 @@ import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.model.Rule; import org.jboss.security.authz.test.MockPolicy; -import org.jboss.security.authz.xacml.ExpressionBuilder; +import org.jboss.security.authz.xacml.*; /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> @@ -40,88 +40,53 @@ public class TestIdentity extends TestCase { private static Logger log = Logger.getLogger(TestIdentity.class); - - public void testGetAllowAuthMethodRule() throws Exception - { - Identity identity = new Identity(); - identity.setName("admin"); - identity.setAuthenticationMethod("CERT"); - Target target = new Target(); - target.addResourceMatch(ExpressionBuilder.getInstance().createResourceIdExpression("test://Resource")); - - Set<Rule> rules = new HashSet<Rule>(); - rules.add(identity.getAllowAuthMethodRule()); - - PolicyMetaData metadata = new PolicyMetaData(); - metadata.setTarget(target); - metadata.setRules(rules); - Policy policy = new MockPolicy("testGetAllowAuthMethodRule", metadata); - - log.info("----------------------------------------------------------------"); - log.info(policy.generateXACMLPolicy()); - } - - public void testGetDenyAuthMethodRule() throws Exception + public void testAllow() throws Exception { Identity identity = new Identity(); identity.setName("admin"); - identity.setAuthenticationMethod("CERT"); Target target = new Target(); target.addResourceMatch(ExpressionBuilder.getInstance().createResourceIdExpression("test://Resource")); - + Set<Rule> rules = new HashSet<Rule>(); - rules.add(identity.getDenyAuthMethodRule()); + rules.add(identity.allow()); PolicyMetaData metadata = new PolicyMetaData(); metadata.setTarget(target); metadata.setRules(rules); - Policy policy = new MockPolicy("testGetDenyAuthMethodRule", metadata); + Policy policy = new MockPolicy("testGetAllowIdentityRule", metadata); log.info("----------------------------------------------------------------"); log.info(policy.generateXACMLPolicy()); } - public void testGetAllowIdentityRule() throws Exception + public void testDeny() throws Exception { Identity identity = new Identity(); identity.setName("admin"); - identity.setAuthenticationMethod("CERT"); Target target = new Target(); target.addResourceMatch(ExpressionBuilder.getInstance().createResourceIdExpression("test://Resource")); Set<Rule> rules = new HashSet<Rule>(); - rules.add(identity.getAllowIdentityRule()); - + rules.add(identity.deny()); + PolicyMetaData metadata = new PolicyMetaData(); metadata.setTarget(target); metadata.setRules(rules); - Policy policy = new MockPolicy("testGetAllowIdentityRule", metadata); + Policy policy = new MockPolicy("testGetDenyIdentityRule", metadata); log.info("----------------------------------------------------------------"); log.info(policy.generateXACMLPolicy()); } - public void testGetDenyIdentityRule() throws Exception + public void testGetSubject() throws Exception { Identity identity = new Identity(); - identity.setName("admin"); - identity.setAuthenticationMethod("CERT"); + identity.setName("admin"); - Target target = new Target(); - target.addResourceMatch(ExpressionBuilder.getInstance().createResourceIdExpression("test://Resource")); - - Set<Rule> rules = new HashSet<Rule>(); - rules.add(identity.getDenyIdentityRule()); - - PolicyMetaData metadata = new PolicyMetaData(); - metadata.setTarget(target); - metadata.setRules(rules); - Policy policy = new MockPolicy("testGetDenyIdentityRule", metadata); - log.info("----------------------------------------------------------------"); - log.info(policy.generateXACMLPolicy()); + JAXBEncoder.marshall(System.out, identity.getSubject()); } }