Author: sohil.shah(a)jboss.com Date: 2009-07-08 23:49:09 -0400 (Wed, 08 Jul 2009) New Revision: 13500 Added: modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/MockPolicy.java modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/NoPermitMeansDeniedAlg.java Modified: modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/AnnotationProcessor.java modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/RuleComposition.java modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/TargetComposition.java modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/component/resource/HttpResource.java modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestHttpResource.java Log: Integrating HttpResource component Modified: modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/AnnotationProcessor.java =================================================================== --- modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/AnnotationProcessor.java 2009-07-05 11:12:20 UTC (rev 13499) +++ modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/AnnotationProcessor.java 2009-07-09 03:49:09 UTC (rev 13500) @@ -23,12 +23,14 @@ import java.lang.annotation.Annotation; import java.lang.reflect.Field; +import java.lang.reflect.Method; import java.util.List; import java.util.ArrayList; import org.jboss.security.authz.component.Component; import org.jboss.security.authz.component.ComponentCategory; import org.jboss.security.authz.component.SecurityContextData; +import org.jboss.security.authz.component.LogicExpression; /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> @@ -72,6 +74,32 @@ return null; } + + static Method findExpression(Class targetClass, String expressionName) + { + Method[] declaredMethods = targetClass.getDeclaredMethods(); + if(declaredMethods != null) + { + for(Method declaredMethod: declaredMethods) + { + Annotation logicExpression = declaredMethod.getAnnotation(LogicExpression.class); + if(logicExpression != null) + { + if(declaredMethod.getName().equals(expressionName)) + { + return declaredMethod; + } + } + } + } + + if(targetClass.getSuperclass() != null) + { + return findExpression(targetClass.getSuperclass(), expressionName); + } + + return null; + } //--------------------------------------------------------------------------------------------------------------------------------------------------------------------- private static Object[] extractSecurityContextData(Object component, Class targetClass) throws Exception { Modified: modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/RuleComposition.java =================================================================== --- modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/RuleComposition.java 2009-07-05 11:12:20 UTC (rev 13499) +++ modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/RuleComposition.java 2009-07-09 03:49:09 UTC (rev 13500) @@ -22,13 +22,11 @@ package org.jboss.security.authz.agent.services; import java.lang.reflect.Method; -import java.lang.annotation.Annotation; import java.util.Set; import java.util.HashSet; import org.apache.log4j.Logger; -import org.jboss.security.authz.component.LogicExpression; import org.jboss.security.authz.model.Rule; import org.jboss.security.authz.model.Expression; import org.jboss.security.authz.model.Effect; @@ -182,7 +180,7 @@ DroolsRuleExpression expression = new DroolsRuleExpression(); //Read the LogicExpression of the Logic Component - Method expressionMethod = this.findExpression(this.logicComponent.getClass(), this.expressionName); + Method expressionMethod = AnnotationProcessor.findExpression(this.logicComponent.getClass(), this.expressionName); expressionMethod.setAccessible(true); String[] expressionMetaData = (String[])expressionMethod.invoke(this.logicComponent, null); @@ -191,31 +189,5 @@ expression.setRule(expressionMetaData[1]); return expression; - } - - private Method findExpression(Class targetClass, String expressionName) - { - Method[] declaredMethods = targetClass.getDeclaredMethods(); - if(declaredMethods != null) - { - for(Method declaredMethod: declaredMethods) - { - Annotation logicExpression = declaredMethod.getAnnotation(LogicExpression.class); - if(logicExpression != null) - { - if(declaredMethod.getName().equals(expressionName)) - { - return declaredMethod; - } - } - } - } - - if(targetClass.getSuperclass() != null) - { - return this.findExpression(targetClass.getSuperclass(), expressionName); - } - - return null; - } + } } Modified: modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/TargetComposition.java =================================================================== --- modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/TargetComposition.java 2009-07-05 11:12:20 UTC (rev 13499) +++ modules/authorization/trunk/agent/src/main/java/org/jboss/security/authz/agent/services/TargetComposition.java 2009-07-09 03:49:09 UTC (rev 13500) @@ -22,7 +22,11 @@ package org.jboss.security.authz.agent.services; import java.lang.annotation.Annotation; -import java.lang.reflect.Field; +import java.lang.reflect.Array; +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; +import java.util.Map; import java.util.Set; import java.util.HashSet; @@ -31,7 +35,6 @@ import org.jboss.security.authz.component.Component; import org.jboss.security.authz.component.ComponentCategory; import org.jboss.security.authz.component.ImpliedActions; -import org.jboss.security.authz.component.SecurityContextData; import org.jboss.security.authz.model.Target; import org.jboss.security.authz.model.Attribute; import org.jboss.security.authz.model.AttributeExpression; @@ -124,52 +127,22 @@ private Target generateTarget() throws Exception { Target target = new Target(); + + //use the proper category for the data + ComponentCategory category = this.findComponentCategory(this.targetComponent.getClass()); + String attributeCategory = category.getAttributeCategory(); - //Read the TargetUri - Field targetField = this.findSecurityContextDataField(this.targetComponent.getClass()); - targetField.setAccessible(true); - Object targetUriObj = targetField.get(this.targetComponent); + //Read the SecurityContext State of the Component being provisioned + Object[] securityContextData = AnnotationProcessor.extractSecurityContextData(this.targetComponent); - //Get a String representation of this URI - String uriStr = targetUriObj.toString(); + //Get the Attribute expression based on the Security Context State + List<AttributeExpression> urlExpressions = this.generateAttributeExpression(securityContextData, attributeCategory); - //use the proper category for the data - ComponentCategory category = this.findComponentCategory(this.targetComponent.getClass()); - String attributeCategory = category.getAttributeCategory(); - - AttributeExpression urlExpression = new AttributeExpression(); - if (uriStr.charAt(0) == '/' && uriStr.endsWith("/*")) + //Depending up the data category add the appropriate match expression + for(AttributeExpression urlExpression: urlExpressions) { - // If URL starts with '/' and ends with "/*", use a regular - // expression to match it (In consistency with the servlet spec) - urlExpression - .setFunctionId(XACMLConstants.FUNCTION_REGEXP_STRING_MATCH); - - String uriexp = uriStr.substring(1, uriStr.length() - 2); - StringBuilder buffer = new StringBuilder(); - buffer.append("^/" + uriexp + "$|"); - buffer.append("^" + uriexp + "$|"); - buffer.append("^/" + uriexp + "/.*|"); - buffer.append("^" + uriexp + "/.*"); - - Attribute attribute = new Attribute( - attributeCategory, - XMLSchemaConstants.DATATYPE_STRING, buffer.toString()); - urlExpression.setAttribute(attribute); - } - else - { - // use an exact match - urlExpression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); - - Attribute attribute = new Attribute( - attributeCategory, - XMLSchemaConstants.DATATYPE_STRING, uriStr); - urlExpression.setAttribute(attribute); + category.setExpression(target, urlExpression); } - - //Depending up the data category add the appropriate match expression - category.setExpression(target, urlExpression); return target; } @@ -195,28 +168,91 @@ return null; } - - private Field findSecurityContextDataField(Class targetClass) - { - Field[] declaredFields = targetClass.getDeclaredFields(); - if(declaredFields != null) - { - for(Field declaredField: declaredFields) + + private List<AttributeExpression> generateAttributeExpression(Object[] securityContextState, String attributeCategory) + { + List<AttributeExpression> expressions = new ArrayList<AttributeExpression>(); + + for(Object input: securityContextState) + { + if(Collection.class.isAssignableFrom(input.getClass()) || input.getClass().isArray()) { - Annotation targetUri = declaredField.getAnnotation(SecurityContextData.class); - if(targetUri != null) + Set<String> uris = null; + if(input.getClass().isArray()) { - return declaredField; + List<Object> local = new ArrayList<Object>(); + int arrayLength = Array.getLength(input); + for(int i=0; i<arrayLength; i++) + { + local.add(Array.get(input, i)); + } + uris = SecurityContextDataProcessor.processEnforcementState(local); } + else + { + uris = SecurityContextDataProcessor.processEnforcementState((Collection)input); + } + + for(String uri: uris) + { + AttributeExpression expression = new AttributeExpression(); + this.setAttribute(expression, attributeCategory, uri); + expressions.add(expression); + } } + else if(Map.class.isAssignableFrom(input.getClass())) + { + Map<String, String> mappedUris = SecurityContextDataProcessor.processEnforcementState((Map)input); + Set<String> customCategories = mappedUris.keySet(); + for(String customCategory: customCategories) + { + AttributeExpression expression = new AttributeExpression(); + this.setAttribute(expression, customCategory, mappedUris.get(customCategory)); + expressions.add(expression); + } + } + else + { + AttributeExpression expression = new AttributeExpression(); + this.setAttribute(expression, attributeCategory, input.toString()); + expressions.add(expression); + } } - //If I get here, query the super class - if(targetClass.getSuperclass() != null) + return expressions; + } + + private void setAttribute(AttributeExpression urlExpression, String attributeCategory, String uriStr) + { + Attribute attribute = null; + + if (uriStr.charAt(0) == '/' && uriStr.endsWith("/*")) { - return this.findSecurityContextDataField(targetClass.getSuperclass()); + // If URL starts with '/' and ends with "/*", use a regular + // expression to match it (In consistency with the servlet spec) + urlExpression.setFunctionId(XACMLConstants.FUNCTION_REGEXP_STRING_MATCH); + + String uriexp = uriStr.substring(1, uriStr.length() - 2); + StringBuilder buffer = new StringBuilder(); + buffer.append("^/" + uriexp + "$|"); + buffer.append("^" + uriexp + "$|"); + buffer.append("^/" + uriexp + "/.*|"); + buffer.append("^" + uriexp + "/.*"); + + attribute = new Attribute( + attributeCategory, + XMLSchemaConstants.DATATYPE_STRING, buffer.toString()); + } + else + { + // use an exact match + urlExpression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); + + attribute = new Attribute( + attributeCategory, + XMLSchemaConstants.DATATYPE_STRING, uriStr); } - return null; + urlExpression.setAttribute(attribute); } } Modified: modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/component/resource/HttpResource.java =================================================================== --- modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/component/resource/HttpResource.java 2009-07-05 11:12:20 UTC (rev 13499) +++ modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/component/resource/HttpResource.java 2009-07-09 03:49:09 UTC (rev 13500) @@ -79,47 +79,5 @@ public void addParameter(String name, String value) { this.getParameters().put(name, value); - } - - /*public PolicyMetaData getPolicyMetaData() - { - PolicyMetaData metadata = super.getPolicyMetaData(); - - if(!this.getParameters().isEmpty()) - { - Set<String> names = this.parameters.keySet(); - for(String name: names) - { - String value = this.parameters.get(name); - - AttributeExpression paramExpression = ExpressionBuilder.getInstance().createCustomResourceExpression(name, value); - paramExpression.setDesignatorMustBePresent(false); - metadata.getTarget().addResourceMatch(paramExpression); - } - } - - return metadata; - }*/ - - /*public Resource getResource() - { - Resource urlResource = super.getResource(); - - if(!this.getParameters().isEmpty()) - { - Set<String> names = this.parameters.keySet(); - for(String name: names) - { - String value = this.parameters.get(name); - - Attribute customAttribute = new Attribute(); - customAttribute.setUri(name); - customAttribute.setDatatType(XMLSchemaConstants.DATATYPE_STRING); - customAttribute.setValue(value); - urlResource.addAttribute(customAttribute); - } - } - - return urlResource; - }*/ + } } Added: modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/MockPolicy.java =================================================================== --- modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/MockPolicy.java (rev 0) +++ modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/MockPolicy.java 2009-07-09 03:49:09 UTC (rev 13500) @@ -0,0 +1,276 @@ +/****************************************************************************** + * JBoss, a division of Red Hat * + * Copyright 2006, Red Hat Middleware, LLC, and individual * + * contributors as indicated by the @authors tag. See the * + * copyright.txt in the distribution for a full listing of * + * individual contributors. * + * * + * This is free software; you can redistribute it and/or modify it * + * under the terms of the GNU Lesser General Public License as * + * published by the Free Software Foundation; either version 2.1 of * + * the License, or (at your option) any later version. * + * * + * This software is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * + * Lesser General Public License for more details. * + * * + * You should have received a copy of the GNU Lesser General Public * + * License along with this software; if not, write to the Free * + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * + ******************************************************************************/ +package org.jboss.security.authz.http.components; + +import java.util.List; +import java.util.Set; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.util.UUID; + +import javax.xml.bind.JAXBElement; + +import org.jboss.security.authz.model.Policy; +import org.jboss.security.authz.model.PolicyMetaData; +import org.jboss.security.authz.model.Rule; +import org.jboss.security.authz.model.Effect; +import org.jboss.security.authz.model.PolicyException; +import org.jboss.security.authz.model.AttributeExpression; +import org.jboss.security.authz.model.DroolsRuleExpression; +import org.jboss.security.authz.model.Expression; +import org.jboss.security.authz.xacml.AttributeDesignatorUtil; +import org.jboss.security.authz.xacml.PolicyUtil; + +import org.jboss.security.xacml.core.model.policy.ActionMatchType; +import org.jboss.security.xacml.core.model.policy.SubjectMatchType; +import org.jboss.security.xacml.core.model.policy.ApplyType; +import org.jboss.security.xacml.core.model.policy.VariableReferenceType; +import org.jboss.security.xacml.core.model.policy.EffectType; +import org.jboss.security.xacml.core.model.policy.PolicyType; +import org.jboss.security.xacml.core.model.policy.ResourceMatchType; +import org.jboss.security.xacml.core.model.policy.ResourcesType; +import org.jboss.security.xacml.core.model.policy.ResourceType; +import org.jboss.security.xacml.core.model.policy.ActionsType; +import org.jboss.security.xacml.core.model.policy.ActionType; +import org.jboss.security.xacml.core.model.policy.SubjectsType; +import org.jboss.security.xacml.core.model.policy.SubjectType; +import org.jboss.security.xacml.core.model.policy.RuleType; +import org.jboss.security.xacml.core.model.policy.TargetType; +import org.jboss.security.xacml.core.model.policy.ConditionType; +import org.jboss.security.xacml.core.model.policy.ObjectFactory; +import org.jboss.security.xacml.core.model.policy.AttributeValueType; +import org.jboss.security.xacml.core.model.policy.SubjectAttributeDesignatorType; +import org.jboss.security.xacml.factories.PolicyAttributeFactory; + +/** + * Used for specifying policies for Resources represented by unique URIs, sometimes forming a tree like relationship with other Resources in the system + * + * An example of such resources would be tree of resources/nodes in a Content Management System + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + * + */ +public class MockPolicy extends Policy +{ + + public MockPolicy(String policyUri, PolicyMetaData metaData) throws PolicyException + { + super(policyUri, metaData); + } + + + @Override + public String generateSystemPolicy() throws PolicyException + { + ByteArrayOutputStream bos = null; + try + { + String xacmlXml = null; + + //SetUp the Policy Header + ObjectFactory objectFactory = new ObjectFactory(); + PolicyType policyType = new PolicyType(); + policyType.setPolicyId(this.policyUri); + policyType.setVersion("2.0"); + policyType.setRuleCombiningAlgId(new NoPermitMeansDeniedAlg().getIdentifier().toString()); + + TargetType targetType = new TargetType(); + policyType.setTarget(targetType); + + //Process Resource Matches as Targets for the Policy + List<AttributeExpression> resourceMatches = this.metaData.getTarget().getResourceMatches(); + if(resourceMatches != null && !resourceMatches.isEmpty()) + { + ResourcesType resourcesType = new ResourcesType(); + targetType.setResources(resourcesType); + ResourceType resourceType = new ResourceType(); + + for(AttributeExpression resourceMatch: resourceMatches) + { + ResourceMatchType rmt = new ResourceMatchType(); + + rmt.setMatchId(resourceMatch.getFunctionId()); + rmt.setResourceAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(resourceMatch.getAttribute(), true)); + rmt.setAttributeValue(PolicyAttributeFactory + .createStringAttributeType(resourceMatch.getAttribute().getValue())); + + resourceType.getResourceMatch().add(rmt); + } + + resourcesType.getResource().add(resourceType); + } + + //Process the Policy Rules + Set<Rule> rules = this.metaData.getRules(); + if(rules != null && !rules.isEmpty()) + { + for(Rule rule: rules) + { + RuleType ruleType = new RuleType(); + ruleType.setRuleId(rule.getRuleId()); + if(rule.getEffect() == Effect.PERMIT) + { + ruleType.setEffect(EffectType.PERMIT); + } + else + { + ruleType.setEffect(EffectType.DENY); + } + + //Process the Rule Target + if(rule.getTarget() != null) + { + List<AttributeExpression> actionMatches = rule.getTarget().getActionMatches(); + List<AttributeExpression> subjectMatches = rule.getTarget().getSubjectMatches(); + TargetType ruleTarget = new TargetType(); + + if(actionMatches != null && !actionMatches.isEmpty()) + { + ruleTarget.setActions(this.generateRuleActions(actionMatches)); + } + + if(subjectMatches != null && !subjectMatches.isEmpty()) + { + ruleTarget.setSubjects(this.generateRuleSubjects(subjectMatches)); + } + + ruleType.setTarget(ruleTarget); + } + + //Process the Rule Expression/Condition + ConditionType condition = this.generateCondition(objectFactory, rule.getExpression()); + ruleType.setCondition(condition); + + policyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(ruleType); + } + } + + bos = new ByteArrayOutputStream(); + PolicyUtil.marshall(bos, policyType); + xacmlXml = new String(bos.toByteArray()); + + return xacmlXml; + } + catch(Exception e) + { + throw new PolicyException(e); + } + finally + { + if(bos != null) + { + try{bos.close();}catch(IOException ioe){} + } + } + } + + private ActionsType generateRuleActions(List<AttributeExpression> actionMatches) + { + ActionsType actions = new ActionsType(); + + for(AttributeExpression action: actionMatches) + { + ActionType actionType = new ActionType(); + ActionMatchType amct = new ActionMatchType(); + amct.setMatchId(action.getFunctionId()); + amct.setAttributeValue(PolicyAttributeFactory.createStringAttributeType(action.getAttribute().getValue())); + amct.setActionAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(action.getAttribute(), true)); + actionType.getActionMatch().add(amct); + actions.getAction().add(actionType); + } + + return actions; + } + + private SubjectsType generateRuleSubjects(List<AttributeExpression> subjectMatches) + { + SubjectsType subjects = new SubjectsType(); + + for(AttributeExpression subject: subjectMatches) + { + SubjectType subjectType = new SubjectType(); + SubjectMatchType match = new SubjectMatchType(); + match.setMatchId(subject.getFunctionId()); + match.setAttributeValue(PolicyAttributeFactory.createStringAttributeType(subject.getAttribute().getValue())); + match.setSubjectAttributeDesignator((SubjectAttributeDesignatorType)AttributeDesignatorUtil.getAttributeDesignator(subject.getAttribute(), true)); + subjectType.getSubjectMatch().add(match); + subjects.getSubject().add(subjectType); + } + + return subjects; + } + + /** + * + * @param expression + * @return + */ + private ConditionType generateCondition(ObjectFactory objectFactory, Expression expression) + { + ConditionType condition = new ConditionType(); + + if(expression instanceof AttributeExpression) + { + AttributeExpression attributeExpression = (AttributeExpression)expression; + + //Function to be applied + ApplyType apply = new ApplyType(); + apply.setFunctionId(attributeExpression.getFunctionId()); + + //Value to check against + AttributeValueType attrValue = PolicyAttributeFactory.createStringAttributeType(attributeExpression.getAttribute().getValue()); + JAXBElement<AttributeValueType> jaxbAttrValue = objectFactory.createAttributeValue(attrValue); + apply.getExpression().add(jaxbAttrValue); + + //Place within the Context where this Value should exist during an Authorization Request + apply.getExpression().add(AttributeDesignatorUtil.getAttributeDesignatorXml(attributeExpression.getAttribute(), true)); + + + condition.setExpression(objectFactory.createApply(apply)); + } + else if(expression instanceof DroolsRuleExpression) + { + DroolsRuleExpression ruleExpression = (DroolsRuleExpression)expression; + + //Function to be applied + ApplyType apply = new ApplyType(); + apply.setFunctionId(ruleExpression.getFunctionId()); + + + VariableReferenceType ruleReference = new VariableReferenceType(); + ruleReference.setVariableId(ruleExpression.getRuleReference()); + JAXBElement<VariableReferenceType> jaxbRuleReference = objectFactory.createVariableReference(ruleReference); + apply.getExpression().add(jaxbRuleReference); + + + condition.setExpression(objectFactory.createApply(apply)); + } + + return condition; + } + + private String generateUniqueId() + { + return UUID.randomUUID().toString(); + } +} Added: modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/NoPermitMeansDeniedAlg.java =================================================================== --- modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/NoPermitMeansDeniedAlg.java (rev 0) +++ modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/NoPermitMeansDeniedAlg.java 2009-07-09 03:49:09 UTC (rev 13500) @@ -0,0 +1,83 @@ +/****************************************************************************** + * JBoss, a division of Red Hat * + * Copyright 2006, Red Hat Middleware, LLC, and individual * + * contributors as indicated by the @authors tag. See the * + * copyright.txt in the distribution for a full listing of * + * individual contributors. * + * * + * This is free software; you can redistribute it and/or modify it * + * under the terms of the GNU Lesser General Public License as * + * published by the Free Software Foundation; either version 2.1 of * + * the License, or (at your option) any later version. * + * * + * This software is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * + * Lesser General Public License for more details. * + * * + * You should have received a copy of the GNU Lesser General Public * + * License along with this software; if not, write to the Free * + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * + ******************************************************************************/ +package org.jboss.security.authz.http.components; + +import java.util.List; +import java.util.Iterator; +import java.net.URI; +import java.net.URISyntaxException; + +import org.jboss.security.xacml.sunxacml.combine.RuleCombiningAlgorithm; +import org.jboss.security.xacml.sunxacml.EvaluationCtx; +import org.jboss.security.xacml.sunxacml.ctx.Result; +import org.jboss.security.xacml.sunxacml.Rule; +import org.jboss.security.xacml.sunxacml.combine.RuleCombinerElement; + +/** + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + * + */ +public class NoPermitMeansDeniedAlg extends RuleCombiningAlgorithm +{ + /** + * + * @throws URISyntaxException + */ + public NoPermitMeansDeniedAlg() throws URISyntaxException + { + super(new URI("rule-combining-alg:nopermit-means-denied")); + } + + /** + * + * @param context + * @param rules + * @return + */ + public Result combine(EvaluationCtx context, List parameters, List ruleElements) + { + Result result = new Result(Result.DECISION_PERMIT); + + Iterator rules = ruleElements.iterator(); + boolean permitFound = false; + while(rules.hasNext()) + { + RuleCombinerElement ruleCombinerElement = (RuleCombinerElement)rules.next(); + Rule rule = ruleCombinerElement.getRule(); + Result currentResult = rule.evaluate(context); + + if(currentResult.getDecision() == Result.DECISION_PERMIT) + { + permitFound = true; + break; + } + } + + if(!permitFound) + { + result = new Result(Result.DECISION_DENY); + } + + return result; + } +} Modified: modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestHttpResource.java =================================================================== --- modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestHttpResource.java 2009-07-05 11:12:20 UTC (rev 13499) +++ modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestHttpResource.java 2009-07-09 03:49:09 UTC (rev 13500) @@ -27,9 +27,17 @@ import org.apache.log4j.Logger; -import org.jboss.security.authz.http.component.resource.HttpResource; +import org.jboss.security.authz.agent.Agent; +import org.jboss.security.authz.agent.services.CompositionContext; +import org.jboss.security.authz.agent.services.PolicyComposer; + +import org.jboss.security.authz.components.subject.Identity; +import org.jboss.security.authz.components.subject.Roles; import org.jboss.security.authz.model.Policy; +import org.jboss.security.authz.model.Effect; +import org.jboss.security.authz.http.component.resource.HttpResource; +import org.jboss.security.authz.http.component.action.Get; /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> @@ -38,13 +46,29 @@ { private static Logger log = Logger.getLogger(TestHttpResource.class); + private PolicyComposer policyComposer; + + protected void setUp() throws Exception + { + Agent.bootstrap(); + this.policyComposer = (PolicyComposer)Agent.lookup("/agent/PolicyComposer"); + } + //------------------------------------------------------------------------------------------------------------------------------------------------------------------ //TODO: migrate to the new developer framework - /*public void testGetURLTargetNoParameters() throws Exception + public void testGetURLTargetNoParameters() throws Exception { HttpResource httpResource = new HttpResource(); httpResource.setUri(new URI("/portal/admin-tool/modifyLayout")); + + Identity identity = new Identity(); + identity.setName("blahUser"); + + //Setup the Context for the Composition with these components + CompositionContext context = new CompositionContext(); + context.setPolicyTarget(httpResource); + context.addPolicyRule(Effect.PERMIT, identity, null); - Policy policy = new MockPolicy("testGetURLTargetNoParameters", httpResource.getPolicyMetaData()); + Policy policy = new MockPolicy("testGetURLTargetNoParameters", this.policyComposer.compose(context)); log.info("------------------------------------------------------------------"); log.info(policy.generateSystemPolicy()); @@ -56,10 +80,17 @@ httpResource.setUri(new URI("/portal/admin-tool/modifyLayout")); httpResource.addParameter("test1", "test1://value"); httpResource.addParameter("test2", "test2://value"); + + Identity identity = new Identity(); + identity.setName("blahUser"); + + //Setup the Context for the Composition with these components + CompositionContext context = new CompositionContext(); + context.setPolicyTarget(httpResource); + context.addPolicyRule(Effect.PERMIT, identity, null); + Policy policy = new MockPolicy("testGetURLTargetWithParameters", this.policyComposer.compose(context)); - Policy policy = new MockPolicy("testGetURLTargetWithParameters", httpResource.getPolicyMetaData()); - log.info("------------------------------------------------------------------"); log.info(policy.generateSystemPolicy()); } @@ -70,42 +101,49 @@ httpResource.setUri(new URI("/portal/admin-tool/modifyLayout")); httpResource.addParameter("test1", "test1://value"); httpResource.addParameter("test2", "test2://value"); - httpResource.addAllowed("admin"); - httpResource.addDenied("anonymous"); + + Roles allowedRoles = new Roles(); + allowedRoles.addName("admin"); + allowedRoles.addName("user"); + + Roles deniedRoles = new Roles(); + deniedRoles.addName("anonymous"); + + //Setup the Context for the Composition with these components + CompositionContext context = new CompositionContext(); + context.setPolicyTarget(httpResource); + context.addPolicyRule(Effect.PERMIT, new Get(), allowedRoles, "allowExpression"); + context.addPolicyRule(Effect.DENY, new Get(), deniedRoles, "denyExpression"); - Policy policy = new MockPolicy("testRoleRules", httpResource.getPolicyMetaData()); + Policy policy = new MockPolicy("testRoleRules", this.policyComposer.compose(context)); log.info("------------------------------------------------------------------"); log.info(policy.generateSystemPolicy()); } - - public void testIPRules() throws Exception - { - HttpResource httpResource = new HttpResource(); - httpResource.setUri(new URI("/portal/admin-tool/modifyLayout")); - httpResource.addParameter("test1", "test1://value"); - httpResource.addParameter("test2", "test2://value"); - httpResource.addAllowed("admin"); - httpResource.addDenied("anonymous"); - - Policy policy = new MockPolicy("testIPRules", httpResource.getPolicyMetaData()); - log.info("------------------------------------------------------------------"); - log.info(policy.generateSystemPolicy()); - } - public void testURLPattern() throws Exception { HttpResource httpResource = new HttpResource(); httpResource.setUri(new URI("/portal/*")); httpResource.addParameter("test1", "test1://value"); httpResource.addParameter("test2", "test2://value"); - httpResource.addAllowed("admin"); - httpResource.addDenied("anonymous"); + + Roles allowedRoles = new Roles(); + allowedRoles.addName("admin"); + allowedRoles.addName("user"); + + Roles deniedRoles = new Roles(); + deniedRoles.addName("anonymous"); + + //Setup the Context for the Composition with these components + CompositionContext context = new CompositionContext(); + context.setPolicyTarget(httpResource); + context.addPolicyRule(Effect.PERMIT, new Get(), allowedRoles, "allowExpression"); + context.addPolicyRule(Effect.DENY, new Get(), deniedRoles, "denyExpression"); - Policy policy = new MockPolicy("testURLPattern", httpResource.getPolicyMetaData()); + Policy policy = new MockPolicy("testURLPattern", this.policyComposer.compose(context)); log.info("------------------------------------------------------------------"); log.info(policy.generateSystemPolicy()); - }*/ + } }