use of org.jboss.security.xacml.core.model.policy.ApplyType in project opencast by opencast.
the class XACMLUtils method getXacml.
/**
* Builds an xml string containing the xacml for the mediapackage.
*
* @param mediapackage
* the mediapackage
* @param accessControlList
* the tuples of roles to actions
* @return
* @throws JAXBException
*/
public static String getXacml(MediaPackage mediapackage, AccessControlList accessControlList) throws JAXBException {
ObjectFactory jbossXacmlObjectFactory = new ObjectFactory();
PolicyType policy = new PolicyType();
policy.setPolicyId(mediapackage.getIdentifier().toString());
policy.setVersion("2.0");
policy.setRuleCombiningAlgId(XACMLUtils.RULE_COMBINING_ALG);
// TODO: Add target/resources to rule
TargetType policyTarget = new TargetType();
ResourcesType resources = new ResourcesType();
ResourceType resource = new ResourceType();
ResourceMatchType resourceMatch = new ResourceMatchType();
resourceMatch.setMatchId(XACMLUtils.XACML_STRING_EQUAL);
AttributeValueType resourceAttributeValue = new AttributeValueType();
resourceAttributeValue.setDataType(XACMLUtils.W3C_STRING);
resourceAttributeValue.getContent().add(mediapackage.getIdentifier().toString());
AttributeDesignatorType resourceDesignator = new AttributeDesignatorType();
resourceDesignator.setAttributeId(XACMLUtils.RESOURCE_IDENTIFIER);
resourceDesignator.setDataType(XACMLUtils.W3C_STRING);
// now go back up the tree
resourceMatch.setResourceAttributeDesignator(resourceDesignator);
resourceMatch.setAttributeValue(resourceAttributeValue);
resource.getResourceMatch().add(resourceMatch);
resources.getResource().add(resource);
policyTarget.setResources(resources);
policy.setTarget(policyTarget);
// Loop over roleActions and add a rule for each
for (AccessControlEntry ace : accessControlList.getEntries()) {
boolean allow = ace.isAllow();
RuleType rule = new RuleType();
rule.setRuleId(ace.getRole() + "_" + ace.getAction() + (allow ? "_Permit" : "_Deny"));
if (allow) {
rule.setEffect(EffectType.PERMIT);
} else {
rule.setEffect(EffectType.DENY);
}
TargetType target = new TargetType();
ActionsType actions = new ActionsType();
ActionType action = new ActionType();
ActionMatchType actionMatch = new ActionMatchType();
actionMatch.setMatchId(XACMLUtils.XACML_STRING_EQUAL);
AttributeValueType attributeValue = new AttributeValueType();
attributeValue.setDataType(XACMLUtils.W3C_STRING);
attributeValue.getContent().add(ace.getAction());
AttributeDesignatorType designator = new AttributeDesignatorType();
designator.setAttributeId(XACMLUtils.ACTION_IDENTIFIER);
designator.setDataType(XACMLUtils.W3C_STRING);
// now go back up the tree
actionMatch.setActionAttributeDesignator(designator);
actionMatch.setAttributeValue(attributeValue);
action.getActionMatch().add(actionMatch);
actions.getAction().add(action);
target.setActions(actions);
rule.setTarget(target);
ConditionType condition = new ConditionType();
ApplyType apply = new ApplyType();
apply.setFunctionId(XACMLUtils.XACML_STRING_IS_IN);
AttributeValueType conditionAttributeValue = new AttributeValueType();
conditionAttributeValue.setDataType(XACMLUtils.W3C_STRING);
conditionAttributeValue.getContent().add(ace.getRole());
SubjectAttributeDesignatorType subjectDesignator = new SubjectAttributeDesignatorType();
subjectDesignator.setDataType(XACMLUtils.W3C_STRING);
subjectDesignator.setAttributeId(XACMLUtils.SUBJECT_ROLE_IDENTIFIER);
apply.getExpression().add(jbossXacmlObjectFactory.createAttributeValue(conditionAttributeValue));
apply.getExpression().add(jbossXacmlObjectFactory.createSubjectAttributeDesignator(subjectDesignator));
condition.setExpression(jbossXacmlObjectFactory.createApply(apply));
rule.setCondition(condition);
policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(rule);
}
// Add the global deny rule
RuleType deny = new RuleType();
deny.setEffect(EffectType.DENY);
deny.setRuleId("DenyRule");
policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(deny);
// serialize to xml
StringWriter writer = new StringWriter();
XACMLUtils.jBossXacmlJaxbContext.createMarshaller().marshal(jbossXacmlObjectFactory.createPolicy(policy), writer);
return writer.getBuffer().toString();
}
use of org.jboss.security.xacml.core.model.policy.ApplyType in project opencast by opencast.
the class XACMLUtils method parseXacml.
/**
* Parses a XACML into an {@link AccessControlList}.
* <p>
* Only rules which follow the structure of those created by {@link #getXacml(MediaPackage, AccessControlList)} may be
* successfully parsed. All other rules are ignored.
*
* @param xacml
* the XACML to parse
* @return the ACL, never {@code null}
* @throws XACMLParsingException
* if parsing fails
*/
public static AccessControlList parseXacml(InputStream xacml) throws XACMLParsingException {
try {
@SuppressWarnings("unchecked") final AccessControlList acl = new AccessControlList();
final List<AccessControlEntry> entries = acl.getEntries();
final PolicyType policy = ((JAXBElement<PolicyType>) XACMLUtils.jBossXacmlJaxbContext.createUnmarshaller().unmarshal(xacml)).getValue();
for (Object object : policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition()) {
if (!(object instanceof RuleType)) {
throw new XACMLParsingException("Object " + object + " of policy " + policy + " is not of type RuleType");
}
RuleType rule = (RuleType) object;
if (rule.getTarget() == null) {
if (rule.getRuleId().equals("DenyRule")) {
logger.trace("Skipping global deny rule");
continue;
}
throw new XACMLParsingException("Empty rule " + rule + " in policy " + policy);
}
String role = null;
String actionForAce = null;
try {
ActionType action = rule.getTarget().getActions().getAction().get(0);
actionForAce = (String) action.getActionMatch().get(0).getAttributeValue().getContent().get(0);
@SuppressWarnings("unchecked") JAXBElement<ApplyType> apply = (JAXBElement<ApplyType>) rule.getCondition().getExpression();
for (JAXBElement<?> element : apply.getValue().getExpression()) {
if (element.getValue() instanceof AttributeValueType) {
role = (String) ((AttributeValueType) element.getValue()).getContent().get(0);
break;
}
}
} catch (Exception e) {
throw new XACMLParsingException("Rule " + rule + " of policy " + policy + " could not be parsed", e);
}
if (role == null) {
throw new XACMLParsingException("Unable to find role in rule " + rule + " of policy " + policy);
}
AccessControlEntry ace = new AccessControlEntry(role, actionForAce, rule.getEffect().equals(EffectType.PERMIT));
entries.add(ace);
}
return acl;
} catch (Exception e) {
if (e instanceof XACMLParsingException) {
throw (XACMLParsingException) e;
}
throw new XACMLParsingException("XACML could not be parsed", e);
}
}
Aggregations