1
2
3
4
5
6
7 package gov.bnl.gums.service;
8
9 import java.util.List;
10
11 import org.apache.log4j.Logger;
12
13 import gov.bnl.gums.admin.GUMSAPI;
14 import gov.bnl.gums.admin.GUMSAPIImpl;
15
16 import org.opensaml.saml2.core.Statement;
17 import org.opensaml.saml2.core.impl.SubjectBuilder;
18 import org.opensaml.xml.XMLObjectBuilderFactory;
19 import org.opensaml.xacml.ctx.RequestType;
20 import org.opensaml.xacml.ctx.DecisionType;
21 import org.opensaml.xacml.ctx.ResponseType;
22 import org.opensaml.xacml.ctx.StatusType;
23 import org.opensaml.xacml.ctx.StatusCodeType;
24 import org.opensaml.xacml.ctx.SubjectType;
25 import org.opensaml.xacml.ctx.ResultType;
26 import org.opensaml.xacml.ctx.ResourceType;
27 import org.opensaml.xacml.ctx.AttributeType;
28 import org.opensaml.xacml.ctx.AttributeValueType;
29 import org.opensaml.xacml.ctx.impl.DecisionTypeImplBuilder;
30 import org.opensaml.xacml.ctx.impl.StatusCodeTypeImplBuilder;
31 import org.opensaml.xacml.ctx.impl.StatusTypeImplBuilder;
32 import org.opensaml.xacml.ctx.impl.ResultTypeImplBuilder;
33 import org.opensaml.xacml.ctx.impl.ResponseTypeImplBuilder;
34 import org.opensaml.xacml.ctx.impl.AttributeValueTypeImpl;
35 import org.opensaml.xacml.policy.AttributeAssignmentType;
36 import org.opensaml.xacml.policy.EffectType;
37 import org.opensaml.xacml.policy.ObligationsType;
38 import org.opensaml.xacml.policy.ObligationType;
39 import org.opensaml.xacml.policy.impl.AttributeAssignmentTypeImplBuilder;
40 import org.opensaml.xacml.policy.impl.ObligationTypeImplBuilder;
41 import org.opensaml.xacml.policy.impl.ObligationsTypeImplBuilder;
42 import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
43 import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionStatementType;
44 import org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeImplBuilder;
45 import org.opensaml.xml.XMLObject;
46
47 import org.opensciencegrid.authz.xacml.service.XACMLMappingService;
48 import org.opensciencegrid.authz.xacml.common.XACMLConstants;
49 import org.opensaml.xacml.ctx.AttributeValueType;
50
51 public class GUMSXACMLMappingServiceImpl implements XACMLMappingService {
52 private static String ERROR = "http://oasis/names/tc/xacml/1.0/status/error";
53 private static String OK = "http://oasis/names/tc/xacml/1.0/status/ok";
54 private Logger log = Logger.getLogger(GUMSXACMLMappingServiceImpl.class);
55 private static GUMSAPI gums = new GUMSAPIImpl();
56
57 public XACMLAuthzDecisionStatementType mapCredentials(XACMLAuthzDecisionQueryType xacmlQuery) throws Exception {
58 XMLObjectBuilderFactory builderFactory = org.opensaml.xml.Configuration.getBuilderFactory();
59
60
61 RequestType request = xacmlQuery.getRequest();
62 String hostDn = getResourceAttributeValue(request, XACMLConstants.RESOURCE_X509_ID);
63 String userDn = getSubjectAttributeValue(request, XACMLConstants.SUBJECT_X509_ID);
64 String userFqan = getSubjectAttributeValue(request, XACMLConstants.SUBJECT_VOMS_PRIMARY_FQAN_ID);
65
66 if (hostDn==null || hostDn.length()==0) {
67 log.debug("missing attribute: "+XACMLConstants.RESOURCE_X509_ID);
68 throw new Exception("missing attribute: "+XACMLConstants.RESOURCE_X509_ID);
69 }
70 if (userDn==null || userDn.length()==0) {
71 log.debug("missing attribute: "+XACMLConstants.SUBJECT_X509_ID);
72 throw new Exception("missing attribute: "+XACMLConstants.SUBJECT_X509_ID);
73 }
74
75
76
77
78
79
80 AttributeAssignmentType attributeAssignment = null;
81 DecisionTypeImplBuilder decisionBuilder = (DecisionTypeImplBuilder)builderFactory.getBuilder(DecisionType.DEFAULT_ELEMENT_NAME);
82 DecisionType decision = decisionBuilder.buildObject();
83 StatusCodeTypeImplBuilder statusCodeBuilder = (StatusCodeTypeImplBuilder)builderFactory.getBuilder(StatusCodeType.DEFAULT_ELEMENT_NAME);
84 StatusCodeType statusCode = statusCodeBuilder.buildObject();
85 statusCode.setValue(OK);
86 try {
87 log.debug("Checking access on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "'");
88 String account = gums.mapUser(hostDn, userDn, userFqan);
89 if (account == null) {
90 decision.setDecision(DecisionType.DECISION.Deny);
91
92 log.debug("Denied access on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "'");
93 }
94 else {
95 AttributeAssignmentTypeImplBuilder attributeAssignmentBuilder = (AttributeAssignmentTypeImplBuilder)builderFactory.getBuilder(AttributeAssignmentType.DEFAULT_ELEMENT_NAME);
96 attributeAssignment = attributeAssignmentBuilder.buildObject();
97 attributeAssignment.setAttributeId(XACMLConstants.ATTRIBUTE_USERNAME_ID);
98 attributeAssignment.setDataType(XACMLConstants.STRING_DATATYPE);
99 attributeAssignment.setValue(account);
100
101 decision.setDecision(DecisionType.DECISION.Permit);
102
103 log.debug("Credentials mapped on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "' to '" + account + "'");
104 }
105 } catch (Exception e1) {
106 statusCode.setValue(ERROR);
107 log.debug(e1.getMessage());
108 throw e1;
109 }
110
111 try {
112
113 StatusTypeImplBuilder statusBuilder = (StatusTypeImplBuilder)builderFactory.getBuilder(StatusType.DEFAULT_ELEMENT_NAME);
114 StatusType status = statusBuilder.buildObject();
115 status.setStatusCode(statusCode);
116
117
118 ObligationTypeImplBuilder obligationBuilder = (ObligationTypeImplBuilder)builderFactory.getBuilder(ObligationType.DEFAULT_ELEMENT_QNAME);
119 ObligationType obligation = obligationBuilder.buildObject();
120 obligation.setFulfillOn(EffectType.Permit);
121 obligation.setObligationId(XACMLConstants.OBLIGATION_USERNAME);
122 if (attributeAssignment != null)
123 obligation.getAttributeAssignments().add(attributeAssignment);
124
125
126 ObligationsTypeImplBuilder obligationsBuilder = (ObligationsTypeImplBuilder)builderFactory.getBuilder(ObligationsType.DEFAULT_ELEMENT_QNAME);
127 ObligationsType obligations = obligationsBuilder.buildObject();
128 obligations.getObligations().add(obligation);
129
130
131 ResultTypeImplBuilder resultBuilder = (ResultTypeImplBuilder)builderFactory.getBuilder(ResultType.DEFAULT_ELEMENT_NAME);
132 ResultType result = resultBuilder.buildObject();
133 result.setStatus(status);
134 result.setDecision(decision);
135 result.setObligations(obligations);
136
137
138 ResponseTypeImplBuilder responseBuilder = (ResponseTypeImplBuilder)builderFactory.getBuilder(ResponseType.DEFAULT_ELEMENT_NAME);
139 ResponseType response = responseBuilder.buildObject();
140 response.setResult(result);
141
142
143 XACMLAuthzDecisionStatementTypeImplBuilder xacmlauthzBuilder = (XACMLAuthzDecisionStatementTypeImplBuilder)builderFactory.getBuilder(XACMLAuthzDecisionStatementType.TYPE_NAME_XACML20);
144 XACMLAuthzDecisionStatementType xacmlAuthzStatement = xacmlauthzBuilder.buildObject( Statement.DEFAULT_ELEMENT_NAME, XACMLAuthzDecisionStatementType.TYPE_NAME_XACML20);
145 if (xacmlQuery.getReturnContextXSBooleanValue() != null && xacmlQuery.getReturnContextXSBooleanValue().getValue())
146 {
147 request.detach();
148 xacmlAuthzStatement.setRequest(request);
149 }
150 xacmlAuthzStatement.setResponse(response);
151
152 return xacmlAuthzStatement;
153 } catch (Exception e1) {
154 statusCode.setValue(ERROR);
155 log.debug(e1.getMessage());
156 throw e1;
157 }
158 }
159
160 private String getSubjectAttributeValue(RequestType request, String attributeId) {
161 List<SubjectType> subjectList = request.getSubjects();
162 for(SubjectType subject : subjectList) {
163 List<AttributeType> attributeList = subject.getAttributes();
164 for(AttributeType attribute : attributeList) {
165 String curAttributeId = attribute.getAttributeID();
166 if (attributeId.equals(curAttributeId)) {
167 List<AttributeValueType> attributeValueList = attribute.getAttributeValues();
168 for(AttributeValueType attributeValue : attributeValueList) {
169 return ((AttributeValueTypeImpl)attributeValue).getValue();
170 }
171 }
172 }
173 }
174 return null;
175 }
176
177 private String getResourceAttributeValue(RequestType request, String attributeId) {
178 List<ResourceType> resourceList = request.getResources();
179 for(ResourceType resource : resourceList) {
180 List<AttributeType> attributeList = resource.getAttributes();
181 for(AttributeType attribute : attributeList) {
182 String curAttributeId = attribute.getAttributeID();
183 if (attributeId.equals(curAttributeId)) {
184 List<AttributeValueType> attributeValueList = attribute.getAttributeValues();
185 for(AttributeValueType attributeValue : attributeValueList) {
186 return ((AttributeValueTypeImpl)attributeValue).getValue();
187 }
188 }
189 }
190 }
191 return null;
192 }
193 }