Search in sources :

Example 1 with PolicyType

use of org.jboss.security.xacml.core.model.policy.PolicyType in project opencast by opencast.

the class XACMLUtils method getXacml.

/**
 * Builds an xml string containing the xacml for the mediapackage.
 *
 * @param mediapackage
 *          the mediapackage
 * @param accessControlList
 *          the tuples of roles to actions
 * @return
 * @throws JAXBException
 */
public static String getXacml(MediaPackage mediapackage, AccessControlList accessControlList) throws JAXBException {
    ObjectFactory jbossXacmlObjectFactory = new ObjectFactory();
    PolicyType policy = new PolicyType();
    policy.setPolicyId(mediapackage.getIdentifier().toString());
    policy.setVersion("2.0");
    policy.setRuleCombiningAlgId(XACMLUtils.RULE_COMBINING_ALG);
    // TODO: Add target/resources to rule
    TargetType policyTarget = new TargetType();
    ResourcesType resources = new ResourcesType();
    ResourceType resource = new ResourceType();
    ResourceMatchType resourceMatch = new ResourceMatchType();
    resourceMatch.setMatchId(XACMLUtils.XACML_STRING_EQUAL);
    AttributeValueType resourceAttributeValue = new AttributeValueType();
    resourceAttributeValue.setDataType(XACMLUtils.W3C_STRING);
    resourceAttributeValue.getContent().add(mediapackage.getIdentifier().toString());
    AttributeDesignatorType resourceDesignator = new AttributeDesignatorType();
    resourceDesignator.setAttributeId(XACMLUtils.RESOURCE_IDENTIFIER);
    resourceDesignator.setDataType(XACMLUtils.W3C_STRING);
    // now go back up the tree
    resourceMatch.setResourceAttributeDesignator(resourceDesignator);
    resourceMatch.setAttributeValue(resourceAttributeValue);
    resource.getResourceMatch().add(resourceMatch);
    resources.getResource().add(resource);
    policyTarget.setResources(resources);
    policy.setTarget(policyTarget);
    // Loop over roleActions and add a rule for each
    for (AccessControlEntry ace : accessControlList.getEntries()) {
        boolean allow = ace.isAllow();
        RuleType rule = new RuleType();
        rule.setRuleId(ace.getRole() + "_" + ace.getAction() + (allow ? "_Permit" : "_Deny"));
        if (allow) {
            rule.setEffect(EffectType.PERMIT);
        } else {
            rule.setEffect(EffectType.DENY);
        }
        TargetType target = new TargetType();
        ActionsType actions = new ActionsType();
        ActionType action = new ActionType();
        ActionMatchType actionMatch = new ActionMatchType();
        actionMatch.setMatchId(XACMLUtils.XACML_STRING_EQUAL);
        AttributeValueType attributeValue = new AttributeValueType();
        attributeValue.setDataType(XACMLUtils.W3C_STRING);
        attributeValue.getContent().add(ace.getAction());
        AttributeDesignatorType designator = new AttributeDesignatorType();
        designator.setAttributeId(XACMLUtils.ACTION_IDENTIFIER);
        designator.setDataType(XACMLUtils.W3C_STRING);
        // now go back up the tree
        actionMatch.setActionAttributeDesignator(designator);
        actionMatch.setAttributeValue(attributeValue);
        action.getActionMatch().add(actionMatch);
        actions.getAction().add(action);
        target.setActions(actions);
        rule.setTarget(target);
        ConditionType condition = new ConditionType();
        ApplyType apply = new ApplyType();
        apply.setFunctionId(XACMLUtils.XACML_STRING_IS_IN);
        AttributeValueType conditionAttributeValue = new AttributeValueType();
        conditionAttributeValue.setDataType(XACMLUtils.W3C_STRING);
        conditionAttributeValue.getContent().add(ace.getRole());
        SubjectAttributeDesignatorType subjectDesignator = new SubjectAttributeDesignatorType();
        subjectDesignator.setDataType(XACMLUtils.W3C_STRING);
        subjectDesignator.setAttributeId(XACMLUtils.SUBJECT_ROLE_IDENTIFIER);
        apply.getExpression().add(jbossXacmlObjectFactory.createAttributeValue(conditionAttributeValue));
        apply.getExpression().add(jbossXacmlObjectFactory.createSubjectAttributeDesignator(subjectDesignator));
        condition.setExpression(jbossXacmlObjectFactory.createApply(apply));
        rule.setCondition(condition);
        policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(rule);
    }
    // Add the global deny rule
    RuleType deny = new RuleType();
    deny.setEffect(EffectType.DENY);
    deny.setRuleId("DenyRule");
    policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(deny);
    // serialize to xml
    StringWriter writer = new StringWriter();
    XACMLUtils.jBossXacmlJaxbContext.createMarshaller().marshal(jbossXacmlObjectFactory.createPolicy(policy), writer);
    return writer.getBuffer().toString();
}
Also used : PolicyType(org.jboss.security.xacml.core.model.policy.PolicyType) ActionType(org.jboss.security.xacml.core.model.policy.ActionType) AttributeValueType(org.jboss.security.xacml.core.model.policy.AttributeValueType) AccessControlEntry(org.opencastproject.security.api.AccessControlEntry) ResourceType(org.jboss.security.xacml.core.model.policy.ResourceType) RuleType(org.jboss.security.xacml.core.model.policy.RuleType) SubjectAttributeDesignatorType(org.jboss.security.xacml.core.model.policy.SubjectAttributeDesignatorType) ActionsType(org.jboss.security.xacml.core.model.policy.ActionsType) ResourcesType(org.jboss.security.xacml.core.model.policy.ResourcesType) ApplyType(org.jboss.security.xacml.core.model.policy.ApplyType) ActionMatchType(org.jboss.security.xacml.core.model.policy.ActionMatchType) ObjectFactory(org.jboss.security.xacml.core.model.policy.ObjectFactory) AttributeDesignatorType(org.jboss.security.xacml.core.model.policy.AttributeDesignatorType) SubjectAttributeDesignatorType(org.jboss.security.xacml.core.model.policy.SubjectAttributeDesignatorType) StringWriter(java.io.StringWriter) ResourceMatchType(org.jboss.security.xacml.core.model.policy.ResourceMatchType) TargetType(org.jboss.security.xacml.core.model.policy.TargetType) ConditionType(org.jboss.security.xacml.core.model.policy.ConditionType)

Example 2 with PolicyType

use of org.jboss.security.xacml.core.model.policy.PolicyType in project opencast by opencast.

the class XACMLUtils method parseXacml.

/**
 * Parses a XACML into an {@link AccessControlList}.
 * <p>
 * Only rules which follow the structure of those created by {@link #getXacml(MediaPackage, AccessControlList)} may be
 * successfully parsed. All other rules are ignored.
 *
 * @param xacml
 *          the XACML to parse
 * @return the ACL, never {@code null}
 * @throws XACMLParsingException
 *           if parsing fails
 */
public static AccessControlList parseXacml(InputStream xacml) throws XACMLParsingException {
    try {
        @SuppressWarnings("unchecked") final AccessControlList acl = new AccessControlList();
        final List<AccessControlEntry> entries = acl.getEntries();
        final PolicyType policy = ((JAXBElement<PolicyType>) XACMLUtils.jBossXacmlJaxbContext.createUnmarshaller().unmarshal(xacml)).getValue();
        for (Object object : policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition()) {
            if (!(object instanceof RuleType)) {
                throw new XACMLParsingException("Object " + object + " of policy " + policy + " is not of type RuleType");
            }
            RuleType rule = (RuleType) object;
            if (rule.getTarget() == null) {
                if (rule.getRuleId().equals("DenyRule")) {
                    logger.trace("Skipping global deny rule");
                    continue;
                }
                throw new XACMLParsingException("Empty rule " + rule + " in policy " + policy);
            }
            String role = null;
            String actionForAce = null;
            try {
                ActionType action = rule.getTarget().getActions().getAction().get(0);
                actionForAce = (String) action.getActionMatch().get(0).getAttributeValue().getContent().get(0);
                @SuppressWarnings("unchecked") JAXBElement<ApplyType> apply = (JAXBElement<ApplyType>) rule.getCondition().getExpression();
                for (JAXBElement<?> element : apply.getValue().getExpression()) {
                    if (element.getValue() instanceof AttributeValueType) {
                        role = (String) ((AttributeValueType) element.getValue()).getContent().get(0);
                        break;
                    }
                }
            } catch (Exception e) {
                throw new XACMLParsingException("Rule " + rule + " of policy " + policy + " could not be parsed", e);
            }
            if (role == null) {
                throw new XACMLParsingException("Unable to find role in rule " + rule + " of policy " + policy);
            }
            AccessControlEntry ace = new AccessControlEntry(role, actionForAce, rule.getEffect().equals(EffectType.PERMIT));
            entries.add(ace);
        }
        return acl;
    } catch (Exception e) {
        if (e instanceof XACMLParsingException) {
            throw (XACMLParsingException) e;
        }
        throw new XACMLParsingException("XACML could not be parsed", e);
    }
}
Also used : AccessControlList(org.opencastproject.security.api.AccessControlList) PolicyType(org.jboss.security.xacml.core.model.policy.PolicyType) ActionType(org.jboss.security.xacml.core.model.policy.ActionType) AttributeValueType(org.jboss.security.xacml.core.model.policy.AttributeValueType) AccessControlEntry(org.opencastproject.security.api.AccessControlEntry) RuleType(org.jboss.security.xacml.core.model.policy.RuleType) JAXBElement(javax.xml.bind.JAXBElement) JAXBException(javax.xml.bind.JAXBException) ApplyType(org.jboss.security.xacml.core.model.policy.ApplyType)

Aggregations

ActionType (org.jboss.security.xacml.core.model.policy.ActionType)2 ApplyType (org.jboss.security.xacml.core.model.policy.ApplyType)2 AttributeValueType (org.jboss.security.xacml.core.model.policy.AttributeValueType)2 PolicyType (org.jboss.security.xacml.core.model.policy.PolicyType)2 RuleType (org.jboss.security.xacml.core.model.policy.RuleType)2 AccessControlEntry (org.opencastproject.security.api.AccessControlEntry)2 StringWriter (java.io.StringWriter)1 JAXBElement (javax.xml.bind.JAXBElement)1 JAXBException (javax.xml.bind.JAXBException)1 ActionMatchType (org.jboss.security.xacml.core.model.policy.ActionMatchType)1 ActionsType (org.jboss.security.xacml.core.model.policy.ActionsType)1 AttributeDesignatorType (org.jboss.security.xacml.core.model.policy.AttributeDesignatorType)1 ConditionType (org.jboss.security.xacml.core.model.policy.ConditionType)1 ObjectFactory (org.jboss.security.xacml.core.model.policy.ObjectFactory)1 ResourceMatchType (org.jboss.security.xacml.core.model.policy.ResourceMatchType)1 ResourceType (org.jboss.security.xacml.core.model.policy.ResourceType)1 ResourcesType (org.jboss.security.xacml.core.model.policy.ResourcesType)1 SubjectAttributeDesignatorType (org.jboss.security.xacml.core.model.policy.SubjectAttributeDesignatorType)1 TargetType (org.jboss.security.xacml.core.model.policy.TargetType)1 AccessControlList (org.opencastproject.security.api.AccessControlList)1