1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101 package org.opensciencegrid.authz.saml;
102
103
104
105 import java.io.InputStream;
106
107 import java.util.ArrayList;
108
109 import java.util.Collection;
110
111 import java.util.Iterator;
112
113
114
115 import org.apache.log4j.Category;
116
117
118
119 import org.w3c.dom.*;
120
121
122
123 import org.opensaml.v1_0_1.*;
124
125
126
127 /***
128
129 * Represents a SAML authorization decision statement.
130
131 *
132
133 * @author Markus Lorch - based on work from Helen Rehn, Scott Cantor
134
135 * @created October 28, 2004
136
137 * revised January 6, 2005 - moved to OpenSAML 1.0.1
138
139 *
140
141 * Project: FNAL privilege project
142
143 *
144
145 */
146
147
148
149
150
151 public class ObligatedAuthorizationDecisionStatement extends SAMLAuthorizationDecisionStatement {
152
153
154
155 /*** this is the only member variable we add, holds obligations (at least one is mandatory) */
156
157 private ArrayList xacmlObligations = null;
158
159
160
161 static Category log = Category.getInstance(ObligatedAuthorizationDecisionStatement.class.getName());
162
163
164
165
166
167 /***
168
169 * Builds an ObligatedAuthorizationDecisionStatement out of its component parts
170
171 *
172
173 * @param subject subject of the statement
174
175 * @param resource URI of the resource being accessed at the time of
176
177 * the statement
178
179 * @param actions specific actions the decision applies to
180
181 * @param evidence evidence which may be considered
182
183 * @param xacmlObligations XACML style obligations (obligated attribute assignments),
184
185 * at a minimum one obligation is required
186
187 * @exception SAMLException Raised if an AuthorizationDecisionStatement
188
189 * cannot be constructed from the supplied information
190
191 */
192
193 public ObligatedAuthorizationDecisionStatement(SAMLSubject subject,
194
195 String resource, String decision,
196
197 Collection actions,
198
199 Collection evidence,
200
201 Collection xacmlObligations)
202
203 throws SAMLException {
204
205
206
207
208
209 super(subject, resource, decision, actions, evidence);
210
211
212
213
214
215 if (xacmlObligations == null) {
216
217 throw new SAMLException(SAMLException.RESPONDER, "ObligatedAuthorizationDecisionStatement() requires at least one obligation");
218
219 }
220
221 this.xacmlObligations = new ArrayList(1);
222
223 this.xacmlObligations.addAll(xacmlObligations);
224
225 log.debug("instantiated ObligatedAuthorizationDecisionStatement through default constructor");
226
227 }
228
229
230
231 /***
232
233 * Reconstructs a statement from a DOM tree
234
235 *
236
237 * @param e The root of a DOM tree
238
239 * @exception SAMLException Thrown if the object cannot be constructed
240
241 */
242
243 public ObligatedAuthorizationDecisionStatement(Element e)
244
245 throws SAMLException
246
247 {
248
249 super(e);
250
251 log.debug("Constructing ObligatedAuthorizationDecisionStatement from DOM tree");
252
253 this.fromDOM(e);
254
255 }
256
257
258
259
260
261 /***
262
263 * Reconstructs a statement from a stream
264
265 *
266
267 * @param in A stream containing XML
268
269 * @exception SAMLException Raised if an exception occurs while constructing
270
271 * the object.
272
273 */
274
275 public ObligatedAuthorizationDecisionStatement(InputStream in)
276
277 throws SAMLException
278
279 {
280
281 super(fromStream(in));
282
283 log.debug("Constructing ObligatedAuthorizationDecisionStatement from a stream");
284
285 this.fromDOM(fromStream(in));
286
287 }
288
289
290
291
292
293 /***
294
295 * Initialization of statement from a DOM element.<P>
296
297 *
298
299 * Checks the statement's syntactic validity. An exception
300
301 * is thrown if any problems are detected. The exception will contain a
302
303 * message describing the problem, and may wrap another exception.<P>
304
305 *
306
307 * @param e Root element of a DOM tree
308
309 * @exception SAMLException Raised if an exception occurs while constructing
310
311 * the object.
312
313 */
314
315 public void fromDOM(Element e)
316
317 throws SAMLException
318
319 {
320
321 super.fromDOM(e);
322
323
324
325
326
327 if (config.getBooleanProperty("org.opensaml.strict-dom-checking") &&
328
329 !XML.isElementNamed(e,OSGXML.SAML_EXT_NS,"ObligatedAuthorizationDecisionStatement"))
330
331 {
332
333 QName q = QName.getQNameAttribute(e, XML.XSI_NS, "type");
334
335 if (!XML.isElementNamed(e,XML.SAMLP_NS,"Statement") || !XML.isElementNamed(e,XML.SAMLP_NS,"SubjectStatement") ||
336
337 q == null || !OSGXML.SAML_EXT_NS.equals(q.getNamespaceURI()) || !"ObligatedAuthorizationDecisionStatementType".equals(q.getLocalName()))
338
339 throw new MalformedException(SAMLException.REQUESTER, "ObligatedAuthorizationDecisionStatement.fromDOM() requires "+OSGXML.SAML_EXT_NS+":ObligatedAuthorizationDecisionStatement at root");
340
341 }
342
343
344
345
346
347
348
349 Node n = e.getFirstChild();
350
351 while (n != null)
352
353 {
354
355 if (n.getNodeType() == Node.ELEMENT_NODE && XML.isElementNamed((Element)n, OSGXML.SAML_EXT_NS, "XACMLObligation")) {
356
357
358
359 if(xacmlObligations == null) {
360
361 xacmlObligations = new ArrayList(1);
362
363 }
364
365 xacmlObligations.add( new XACMLObligation((Element)n));
366
367 }
368
369
370
371 n = n.getNextSibling();
372
373 }
374
375 }
376
377
378
379 /***
380
381 * Gets the xacml obligations
382
383 *
384
385 * @return string with the xacml obligations
386
387 */
388
389 public Iterator getXACMLObligations() {
390
391
392
393 if(xacmlObligations==null)
394
395 return new ArrayList(0).iterator();
396
397 else
398
399 return xacmlObligations.iterator();
400
401 }
402
403
404
405
406
407 /***
408
409 * Overridden method to return a DOM tree representing the
410
411 * ObligatedAuthorizationDecisionStatement
412
413 *
414
415 * This class embeds an ObligatedAuthorizationDecisionStatement directly
416
417 * in a SAML assertion. This requires modification of the SAML schema and
418
419 * will have to be changed in a future version.
420
421 *
422
423 * In order not to have to modify the SAML schema we will have to utilize the
424
425 * extension point saml:Statement. We will use xsi:type to specify the actual
426
427 * type of statement wanted:<br>
428
429 * <saml:Statement xsi:type="osg-saml:ObligatedAuthorizationDecisionStatementType">
430
431 *
432
433 * @param doc A Document object to use in manufacturing the tree
434
435 * @param xmlns Include namespace on root element - ignored
436
437 * @return Root element of a DOM tree
438
439 */
440
441 public Node toDOM(Document doc, boolean xmlns) throws SAMLException {
442
443
444
445 log.debug("returning DOM tree with ObligatedAuthorizationDecisionStatement");
446
447
448
449 Element s = doc.createElementNS(OSGXML.SAML_EXT_NS, "ObligatedAuthorizationDecisionStatement");
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467 s.setAttributeNS(null, "Resource", getResource());
468
469 s.setAttributeNS(null, "Decision", getDecision());
470
471 s.appendChild(getSubject().toDOM(doc));
472
473
474
475 Iterator i = getActions();
476
477 while (i.hasNext())
478
479 s.appendChild(((SAMLAction)i.next()).toDOM(doc));
480
481
482
483 i = getEvidence();
484
485 while (i.hasNext()) {
486
487 Object o = i.next();
488
489 if (o instanceof SAMLAssertion)
490
491 s.appendChild(((SAMLAssertion)o).toDOM(doc));
492
493 else if (o instanceof String)
494
495 s.appendChild(doc.createElementNS(XML.SAML_NS,"AssertionIDReference")).appendChild(doc.createTextNode((String)o));
496
497 }
498
499
500
501
502
503 i = getXACMLObligations();
504
505 while (i.hasNext())
506
507 s.appendChild(((XACMLObligation)i.next()).toDOM(doc));
508
509
510
511 return root = s;
512
513 }
514
515
516
517 }
518