Author: sohil.shah(a)jboss.com Date: 2009-02-04 18:12:55 -0500 (Wed, 04 Feb 2009) New Revision: 12774 Removed: modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestDroolsFunction.java Modified: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/http/HttpResource.java modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsRuleManager.java modules/authorization/trunk/policy-server/src/main/resources/META-INF/jboss-beans.xml modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestEnterprisePolicyFinderModule.java Log: Integrating Drools based Expressions to specify Policy Rules for the HttpResource core component Modified: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/http/HttpResource.java =================================================================== --- modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/http/HttpResource.java 2009-02-04 18:24:18 UTC (rev 12773) +++ modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/http/HttpResource.java 2009-02-04 23:12:55 UTC (rev 12774) @@ -246,7 +246,8 @@ Rule permitRule = new Rule(); - permitRule.setRuleId("httpResource://permittedRoles/"+GeneralTool.generateUniqueId()); + String ruleReference = "httpResource://permittedRoles/"+GeneralTool.generateUniqueId(); + permitRule.setRuleId(ruleReference); permitRule.setEffect(Effect.PERMIT); //Generate a Drools Rule @@ -255,7 +256,8 @@ } DroolsRuleExpression expression = new DroolsRuleExpression(); - expression.setRuleReference(GeneralTool.generateUniqueId()); + expression.setRuleReference(ruleReference); + expression.setRule(HttpResource.allowedRolesRule); permitRule.setExpression(expression); return permitRule; @@ -274,8 +276,9 @@ } Rule denyRule = new Rule(); - - denyRule.setRuleId("httpResource://deniedRoles/"+GeneralTool.generateUniqueId()); + + String ruleReference = "httpResource://deniedRoles/"+GeneralTool.generateUniqueId(); + denyRule.setRuleId(ruleReference); denyRule.setEffect(Effect.DENY); //Generate a Drools Rule @@ -283,7 +286,8 @@ { } DroolsRuleExpression expression = new DroolsRuleExpression(); - expression.setRuleReference(GeneralTool.generateUniqueId()); + expression.setRuleReference(ruleReference); + expression.setRule(HttpResource.deniedRolesRule); denyRule.setExpression(expression); return denyRule; @@ -298,7 +302,8 @@ Rule rule = new Rule(); - rule.setRuleId("httpResource://allowedIps/"+GeneralTool.generateUniqueId()); + String ruleReference = "httpResource://allowedIps/"+GeneralTool.generateUniqueId(); + rule.setRuleId(ruleReference); rule.setEffect(Effect.PERMIT); for(String allowedIp: this.allowedIps) @@ -312,7 +317,8 @@ rule.setExpression(expression);*/ } DroolsRuleExpression expression = new DroolsRuleExpression(); - expression.setRuleReference(GeneralTool.generateUniqueId()); + expression.setRuleReference(ruleReference); + expression.setRule(HttpResource.allowedIpsRule); rule.setExpression(expression); return rule; Modified: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java 2009-02-04 18:24:18 UTC (rev 12773) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/PolicyServer.java 2009-02-04 23:12:55 UTC (rev 12774) @@ -25,14 +25,17 @@ import org.apache.log4j.Logger; +import org.jboss.security.authz.model.DroolsRuleExpression; import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.model.PolicyMetaData; import org.jboss.security.authz.model.PolicyException; +import org.jboss.security.authz.model.Rule; import org.jboss.security.authz.tools.GeneralTool; import org.jboss.security.authz.policy.server.decision.PolicyDecisionPoint; import org.jboss.security.authz.policy.server.spi.PolicyStore; import org.jboss.security.authz.policy.server.plugin.HierarchialPolicy; import org.jboss.security.authz.policy.server.plugin.EnterprisePolicyFinderModule; +import org.jboss.security.authz.policy.server.plugin.DroolsRuleManager; import org.jboss.security.authz.enforcement.Request; import org.jboss.security.authz.enforcement.Response; @@ -51,6 +54,7 @@ private PolicyDecisionPoint policyDecisionPoint; private PolicyStore policyStore; private EnterprisePolicyFinderModule policyFinderModule; + private DroolsRuleManager ruleManager; public PolicyServer() { @@ -100,6 +104,16 @@ { this.policyStore = policyStore; } + + public DroolsRuleManager getRuleManager() + { + return this.ruleManager; + } + + public void setRuleManager(DroolsRuleManager ruleManager) + { + this.ruleManager = ruleManager; + } //--------Decision making services-------------------------------------------------------------------------------------------------------------------------- /** * Makes an Authorization Decision @@ -138,8 +152,23 @@ try { Policy policy = new HierarchialPolicy(GeneralTool.generateUniqueId(), policyMetaData); + + //Save the policy in the Policy Store this.policyStore.savePolicy(policy); + + //Update the PolicyFinder's runtime state with this new policy this.policyFinderModule.addPolicy(policy); + + //Update the DroolsRuleManager's runtime state with any Drools based expressions if they are part of this new policy + Set<Rule> rules = policyMetaData.getRules(); + for(Rule rule: rules) + { + Object expression = rule.getExpression(); + if(expression instanceof DroolsRuleExpression) + { + this.ruleManager.addRule((DroolsRuleExpression)expression); + } + } } catch(PolicyException pe) { Modified: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java 2009-02-04 18:24:18 UTC (rev 12773) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java 2009-02-04 23:12:55 UTC (rev 12774) @@ -25,14 +25,19 @@ import java.util.List; import java.util.ArrayList; +import org.apache.log4j.Logger; + import org.drools.RuleBase; import org.drools.WorkingMemory; +import org.jboss.security.authz.policy.server.Server; + import org.jboss.security.xacml.sunxacml.EvaluationCtx; import org.jboss.security.xacml.sunxacml.cond.EvaluationResult; import org.jboss.security.xacml.sunxacml.cond.FunctionBase; import org.jboss.security.xacml.sunxacml.ctx.Status; import org.jboss.security.xacml.sunxacml.attr.BooleanAttribute; +import org.jboss.security.xacml.sunxacml.cond.VariableReference; /** * A custom XACML Function which is used to evaluate an XACML Condition based on the Evaluation Results of a specified Business Rule based on the @@ -43,6 +48,8 @@ */ public class DroolsFunction extends FunctionBase { + private static Logger log = Logger.getLogger(DroolsFunction.class); + public static final String NAME = "urn:oasis:names:tc:xacml:2.0:function:jboss-drools:rule"; /** @@ -62,7 +69,7 @@ 0, //FunctionId BooleanAttribute.identifier, //returnType false //returns a Bag of values - ); + ); } @@ -94,12 +101,27 @@ { EvaluationResult result = null; try - { - - /** - * TODO: start a Drools context and evaluate the specified Rule against the data presented in the EvaluationContext - */ - result = EvaluationResult.getTrueInstance(); + { + if(inputs != null) + { + for(int i=0,size=inputs.size(); i<size; i++) + { + VariableReference reference = (VariableReference)inputs.get(i); + + log.info("Firing Rule ="+reference.getVariableId()); + + DroolsRuleManager ruleManager = (DroolsRuleManager)Server.lookup("/policy-server/DroolsRuleManager"); + RuleBase ruleBase = ruleManager.getActiveRuleBase(); + WorkingMemory workingMemory = ruleBase.newStatefulSession(); + workingMemory.insert(reference.getVariableId()); + workingMemory.fireAllRules(); + + /** + * TODO: start a Drools context and evaluate the specified Rule against the data presented in the EvaluationContext + */ + result = EvaluationResult.getTrueInstance(); + } + } } catch(Exception e) { Modified: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsRuleManager.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsRuleManager.java 2009-02-04 18:24:18 UTC (rev 12773) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsRuleManager.java 2009-02-04 23:12:55 UTC (rev 12774) @@ -80,7 +80,7 @@ return this.activeRuleBase; } - void addRule(DroolsRuleExpression rule) + public void addRule(DroolsRuleExpression rule) { try { @@ -103,7 +103,7 @@ } } - DroolsRuleExpression readRule(String ruleReference) + public DroolsRuleExpression readRule(String ruleReference) { try { @@ -128,7 +128,7 @@ } } - void updateRule(DroolsRuleExpression rule) + public void updateRule(DroolsRuleExpression rule) { try { @@ -150,7 +150,7 @@ } } - void removeRule(String ruleReference) + public void removeRule(String ruleReference) { try { Modified: modules/authorization/trunk/policy-server/src/main/resources/META-INF/jboss-beans.xml =================================================================== --- modules/authorization/trunk/policy-server/src/main/resources/META-INF/jboss-beans.xml 2009-02-04 18:24:18 UTC (rev 12773) +++ modules/authorization/trunk/policy-server/src/main/resources/META-INF/jboss-beans.xml 2009-02-04 23:12:55 UTC (rev 12774) @@ -10,14 +10,20 @@ <property name="policyStore"> <inject bean="/policy-server/PolicyStore"/> </property> + <property name="ruleManager"> + <inject bean="/policy-server/DroolsRuleManager"/> + </property> </bean> <bean name="/policy-server/PolicyDecisionPoint" class="org.jboss.security.authz.policy.server.decision.PolicyDecisionPoint"> </bean> + + <bean name="/policy-server/PolicyDeployer" class="org.jboss.security.authz.policy.server.provisioning.PolicyDeployer"> + </bean> <bean name="/policy-server/PolicyStore" class="org.jboss.security.authz.policy.server.provisioning.MemoryPolicyStore"> </bean> - <bean name="/policy-server/PolicyDeployer" class="org.jboss.security.authz.policy.server.provisioning.PolicyDeployer"> + <bean name="/policy-server/DroolsRuleManager" class="org.jboss.security.authz.policy.server.plugin.DroolsRuleManager"> </bean> </deployment> \ No newline at end of file Deleted: modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestDroolsFunction.java =================================================================== --- modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestDroolsFunction.java 2009-02-04 18:24:18 UTC (rev 12773) +++ modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestDroolsFunction.java 2009-02-04 23:12:55 UTC (rev 12774) @@ -1,221 +0,0 @@ -/****************************************************************************** - * JBoss, a division of Red Hat * - * Copyright 2006, Red Hat Middleware, LLC, and individual * - * contributors as indicated by the @authors tag. See the * - * copyright.txt in the distribution for a full listing of * - * individual contributors. * - * * - * This is free software; you can redistribute it and/or modify it * - * under the terms of the GNU Lesser General Public License as * - * published by the Free Software Foundation; either version 2.1 of * - * the License, or (at your option) any later version. * - * * - * This software is distributed in the hope that it will be useful, * - * but WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * - * Lesser General Public License for more details. * - * * - * You should have received a copy of the GNU Lesser General Public * - * License along with this software; if not, write to the Free * - * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * - * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * - ******************************************************************************/ -package org.jboss.security.authz.policy.server.plugin; - -import java.io.File; -import java.io.FileOutputStream; -import java.util.Set; -import java.util.HashSet; - -import junit.framework.TestCase; - -import org.apache.log4j.Logger; - -import org.jboss.security.xacml.core.model.context.ActionType; -import org.jboss.security.xacml.core.model.context.AttributeType; -import org.jboss.security.xacml.core.model.context.AttributeValueType; -import org.jboss.security.xacml.core.model.context.ObjectFactory; -import org.jboss.security.xacml.core.model.context.RequestType; -import org.jboss.security.xacml.core.model.context.ResourceType; -import org.jboss.security.xacml.core.model.context.SubjectType; -import org.jboss.security.xacml.factories.RequestResponseContextFactory; -import org.jboss.security.xacml.interfaces.RequestContext; -import org.jboss.security.xacml.interfaces.ResponseContext; -import org.jboss.security.xacml.interfaces.XACMLConstants; -import org.jboss.security.xacml.interfaces.XMLSchemaConstants; -import org.jboss.security.xacml.sunxacml.PDP; -import org.jboss.security.xacml.sunxacml.ConfigurationStore; -import org.jboss.security.xacml.sunxacml.ctx.RequestCtx; -import org.jboss.security.xacml.sunxacml.ctx.ResponseCtx; - -import org.jboss.security.authz.model.*; -import org.jboss.security.authz.policy.server.plugin.DroolsFunction; - - -/** - * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> - * - */ -public class TestDroolsFunction extends TestCase -{ - private static Logger log = Logger.getLogger(TestDroolsFunction.class); - - private ConfigurationStore store = null; - - protected void setUp() throws Exception - { - this.store = new ConfigurationStore(new File("target/test-classes/pdp-config.xml")); - this.store.useDefaultFactories(); - - //Populate the HierarchialPolicy - Policy policy = this.getSimplePolicy(); - - String xacmlPolicy = policy.generateXACMLPolicy(); - - log.info("--------------------------------------------------------------------"); - log.info(xacmlPolicy); - log.info("--------------------------------------------------------------------"); - - //Store this policy on the File System to use the File based Policy Module of the PDP - FileOutputStream fos = null; - try - { - fos = new FileOutputStream(new File("simple-policy.xml")); - fos.write(xacmlPolicy.getBytes()); - fos.flush(); - } - finally - { - if(fos != null) - { - fos.close(); - } - } - } - - protected void tearDown() throws Exception - { - File file = new File("simple-policy.xml"); - file.delete(); - } - - - public void testSimplePolicy() throws Exception - { - //SetUp the PDP - PDP pdp = new PDP(this.store.getDefaultPDPConfig()); - - //SetUp the Authorization Request - RequestContext requestContext = this.createPermitRequestContext(); - log.info("-----------------------------------"); - requestContext.marshall(System.out); - - //Process the Authorization Request - ResponseCtx response = pdp.evaluate((RequestCtx)requestContext.get(XACMLConstants.REQUEST_CTX)); - assertNotNull(response); - log.info("-----------------------------------"); - response.encode(System.out); - - //Process the Authorization Response - ResponseContext responseContext = RequestResponseContextFactory.createResponseContext(); - responseContext.set(XACMLConstants.RESPONSE_CTX, response); - assertNotNull(responseContext); - assertEquals(responseContext.getDecision(), XACMLConstants.DECISION_PERMIT); - log.info("-----------------------------------"); - log.info("Decision="+responseContext.getDecision()); - } - //------------------------------------------------------------------------------------------------------------------------------------------------------------- - private RequestContext createPermitRequestContext() throws Exception - { - //Create ObjectFactory - ObjectFactory objectFactory = new ObjectFactory(); - - //Create Subjects - SubjectType subject = objectFactory.createSubjectType(); - AttributeType subjectAttribute = objectFactory.createAttributeType(); - subjectAttribute.setAttributeId(XACMLConstants.ATTRIBUTEID_ROLE); - subjectAttribute.setDataType(XMLSchemaConstants.DATATYPE_STRING); - AttributeValueType subjectId = objectFactory.createAttributeValueType(); - subjectId.getContent().add("developer"); - subjectAttribute.getAttributeValue().add(subjectId); - subject.getAttribute().add(subjectAttribute); - - //Create Resource - ResourceType resource = objectFactory.createResourceType(); - AttributeType resourceAttribute = objectFactory.createAttributeType(); - resourceAttribute.setAttributeId(XACMLConstants.ATTRIBUTEID_RESOURCE_ID); - resourceAttribute.setDataType(XMLSchemaConstants.DATATYPE_STRING); - AttributeValueType resourceId = objectFactory.createAttributeValueType(); - resourceId.getContent().add("http://www.redhat.com/protected/index.h...; - resourceAttribute.getAttributeValue().add(resourceId); - resource.getAttribute().add(resourceAttribute); - - //Create Action - ActionType action = objectFactory.createActionType(); - AttributeType actionAttribute = objectFactory.createAttributeType(); - actionAttribute.setAttributeId(XACMLConstants.ATTRIBUTEID_ACTION_ID); - actionAttribute.setDataType(XMLSchemaConstants.DATATYPE_STRING); - AttributeValueType actionId = objectFactory.createAttributeValueType(); - actionId.getContent().add("WRITE"); - actionAttribute.getAttributeValue().add(actionId); - action.getAttribute().add(actionAttribute); - - //Create RequestContext - RequestContext requestContext = RequestResponseContextFactory.createRequestCtx(); - - //Create a RequestType - RequestType requestType = objectFactory.createRequestType(); - requestType.getSubject().add(subject); - requestType.setAction(action); - requestType.getResource().add(resource); - - //Spit out RequestContext - requestContext.setRequest(requestType); - - return requestContext; - } - - private Policy getSimplePolicy() throws Exception - { - //SetUp the Policy Target - Target target = new Target(); - AttributeExpression resourceMatch = new AttributeExpression(); - resourceMatch.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_RESOURCE_ID, - XMLSchemaConstants.DATATYPE_STRING, "http://www.redhat.com/protected/index.html"); - resourceMatch.setAttribute(attribute); - target.addResourceMatch(resourceMatch); - - //SetUp the Policy Rules - Set<Rule> rules = new HashSet<Rule>(); - Rule writeRule = new Rule(); - - writeRule.setRuleId("write"); - writeRule.setEffect(Effect.PERMIT); - - Target ruleTarget = new Target(); - - AttributeExpression actionMatch = new AttributeExpression(); - actionMatch.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); - Attribute actionAttribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, - XMLSchemaConstants.DATATYPE_STRING, "WRITE"); - actionMatch.setAttribute(actionAttribute); - ruleTarget.addActionMatch(actionMatch); - - writeRule.setTarget(ruleTarget); - - DroolsRuleExpression ruleExpression = new DroolsRuleExpression(); - ruleExpression.setRuleReference("WriteRuleReference"); - writeRule.setExpression(ruleExpression); - - rules.add(writeRule); - - //Populate the HierarchialPolicy - PolicyMetaData metadata = new PolicyMetaData(); - metadata.setTarget(target); - metadata.setRules(rules); - HierarchialPolicy policy = new HierarchialPolicy("simpleHierarchialPolicy", metadata); - - return policy; - } -} Modified: modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestEnterprisePolicyFinderModule.java =================================================================== --- modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestEnterprisePolicyFinderModule.java 2009-02-04 18:24:18 UTC (rev 12773) +++ modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestEnterprisePolicyFinderModule.java 2009-02-04 23:12:55 UTC (rev 12774) @@ -26,8 +26,11 @@ import org.apache.log4j.Logger; import org.jboss.security.authz.model.Policy; +import org.jboss.security.authz.model.PolicyMetaData; import org.jboss.security.authz.model.Resource; import org.jboss.security.authz.model.Attribute; +import org.jboss.security.authz.model.Rule; +import org.jboss.security.authz.model.DroolsRuleExpression; import org.jboss.security.authz.components.http.HttpResource; import org.jboss.security.authz.policy.server.PolicyServer; import org.jboss.security.authz.policy.server.Server; @@ -76,8 +79,10 @@ httpResource.addParameter("param2", "param2Value"); httpResource.addAllowedRole("Admin"); - policyServer.newPolicy(httpResource.getPolicyMetaData(true)); + PolicyMetaData policyMetaData = httpResource.getPolicyMetaData(true); + policyServer.newPolicy(policyMetaData); + //Assert Policy State of the Server Policy[] policies = policyServer.readAllPolicies();