GUMSXACMLMappingServiceImpl xref

View Javadoc

1   /*
2    * GUMSAuthZServiceImpl.java
3    *
4    * Created on January 5, 2005, 6:04 PM
5    */
6   
7   package gov.bnl.gums.service;
8   
9   import java.util.List;
10  
11  import org.apache.log4j.Logger;
12  
13  import gov.bnl.gums.admin.GUMSAPI;
14  import gov.bnl.gums.admin.GUMSAPIImpl;
15  
16  import org.opensaml.saml2.core.Statement;
17  import org.opensaml.saml2.core.impl.SubjectBuilder;
18  import org.opensaml.xml.XMLObjectBuilderFactory;
19  import org.opensaml.xacml.ctx.RequestType;
20  import org.opensaml.xacml.ctx.DecisionType;
21  import org.opensaml.xacml.ctx.ResponseType;
22  import org.opensaml.xacml.ctx.StatusType;
23  import org.opensaml.xacml.ctx.StatusCodeType;
24  import org.opensaml.xacml.ctx.SubjectType;
25  import org.opensaml.xacml.ctx.ResultType;
26  import org.opensaml.xacml.ctx.ResourceType;
27  import org.opensaml.xacml.ctx.AttributeType;
28  import org.opensaml.xacml.ctx.AttributeValueType;
29  import org.opensaml.xacml.ctx.impl.DecisionTypeImplBuilder;
30  import org.opensaml.xacml.ctx.impl.StatusCodeTypeImplBuilder;
31  import org.opensaml.xacml.ctx.impl.StatusTypeImplBuilder;
32  import org.opensaml.xacml.ctx.impl.ResultTypeImplBuilder;
33  import org.opensaml.xacml.ctx.impl.ResponseTypeImplBuilder;
34  import org.opensaml.xacml.ctx.impl.AttributeValueTypeImpl;
35  import org.opensaml.xacml.policy.AttributeAssignmentType;
36  import org.opensaml.xacml.policy.EffectType;
37  import org.opensaml.xacml.policy.ObligationsType;
38  import org.opensaml.xacml.policy.ObligationType;
39  import org.opensaml.xacml.policy.impl.AttributeAssignmentTypeImplBuilder;
40  import org.opensaml.xacml.policy.impl.ObligationTypeImplBuilder;
41  import org.opensaml.xacml.policy.impl.ObligationsTypeImplBuilder;
42  import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
43  import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionStatementType;
44  import org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeImplBuilder;
45  import org.opensaml.xml.XMLObject;
46  
47  import org.opensciencegrid.authz.xacml.service.XACMLMappingService;
48  import org.opensciencegrid.authz.xacml.common.XACMLConstants;
49  import org.opensaml.xacml.ctx.AttributeValueType;
50  
51  public class GUMSXACMLMappingServiceImpl implements XACMLMappingService {
52  	private static String ERROR = "http://oasis/names/tc/xacml/1.0/status/error";
53  	private static String OK = "http://oasis/names/tc/xacml/1.0/status/ok";
54  	private Logger log = Logger.getLogger(GUMSXACMLMappingServiceImpl.class);
55  	private static GUMSAPI gums = new GUMSAPIImpl();
56  
57  	public XACMLAuthzDecisionStatementType mapCredentials(XACMLAuthzDecisionQueryType xacmlQuery) throws Exception {
58  		XMLObjectBuilderFactory builderFactory = org.opensaml.xml.Configuration.getBuilderFactory();
59  
60  		// Get information from request
61  		RequestType request = xacmlQuery.getRequest();
62  		String hostDn = getResourceAttributeValue(request, XACMLConstants.RESOURCE_X509_ID);
63  		String userDn = getSubjectAttributeValue(request, XACMLConstants.SUBJECT_X509_ID);
64  		String userFqan = getSubjectAttributeValue(request, XACMLConstants.SUBJECT_VOMS_PRIMARY_FQAN_ID);
65  		
66  		if (hostDn==null || hostDn.length()==0) {
67  			log.debug("missing attribute: "+XACMLConstants.RESOURCE_X509_ID);
68  			throw new Exception("missing attribute: "+XACMLConstants.RESOURCE_X509_ID);
69  		}
70  		if (userDn==null || userDn.length()==0) {
71  			log.debug("missing attribute: "+XACMLConstants.SUBJECT_X509_ID);
72  			throw new Exception("missing attribute: "+XACMLConstants.SUBJECT_X509_ID);
73  		}
74  		/*if (userFqan==null || userFqan.length()==0) {
75  			log.debug("missing attribute: "+VOMS_FQAN);
76  			throw new Exception("missing attribute: "+VOMS_FQAN);
77  		}*/
78  
79  		// Attribute Assignment, decision, and status code
80  		AttributeAssignmentType attributeAssignment = null;
81  		DecisionTypeImplBuilder decisionBuilder = (DecisionTypeImplBuilder)builderFactory.getBuilder(DecisionType.DEFAULT_ELEMENT_NAME);
82  		DecisionType decision = decisionBuilder.buildObject();
83  		StatusCodeTypeImplBuilder statusCodeBuilder = (StatusCodeTypeImplBuilder)builderFactory.getBuilder(StatusCodeType.DEFAULT_ELEMENT_NAME);
84  		StatusCodeType statusCode = statusCodeBuilder.buildObject();
85  		statusCode.setValue(OK);
86  		try {
87  			log.debug("Checking access on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "'");
88  			String account = gums.mapUser(hostDn, userDn, userFqan);
89  			if (account == null) {
90  				decision.setDecision(DecisionType.DECISION.Deny);
91  				
92  				log.debug("Denied access on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "'");
93  			}
94  			else {
95  				AttributeAssignmentTypeImplBuilder attributeAssignmentBuilder = (AttributeAssignmentTypeImplBuilder)builderFactory.getBuilder(AttributeAssignmentType.DEFAULT_ELEMENT_NAME);
96  				attributeAssignment = attributeAssignmentBuilder.buildObject();
97  				attributeAssignment.setAttributeId(XACMLConstants.ATTRIBUTE_USERNAME_ID);
98  				attributeAssignment.setDataType(XACMLConstants.STRING_DATATYPE);
99  				attributeAssignment.setValue(account);
100 
101 				decision.setDecision(DecisionType.DECISION.Permit);
102 				
103 				log.debug("Credentials mapped on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "' to '" + account + "'");
104 			}
105 		} catch (Exception e1) {
106 			statusCode.setValue(ERROR);
107 			log.debug(e1.getMessage());
108 			throw e1;
109 		}
110 
111 		try {
112 			// Status
113 			StatusTypeImplBuilder statusBuilder = (StatusTypeImplBuilder)builderFactory.getBuilder(StatusType.DEFAULT_ELEMENT_NAME);
114 			StatusType status = statusBuilder.buildObject();
115 			status.setStatusCode(statusCode);
116 	
117 			// Obligation
118 			ObligationTypeImplBuilder obligationBuilder = (ObligationTypeImplBuilder)builderFactory.getBuilder(ObligationType.DEFAULT_ELEMENT_QNAME);
119 			ObligationType obligation = obligationBuilder.buildObject();
120 			obligation.setFulfillOn(EffectType.Permit);
121 			obligation.setObligationId(XACMLConstants.OBLIGATION_USERNAME);
122 			if (attributeAssignment != null)
123 				obligation.getAttributeAssignments().add(attributeAssignment);
124 	
125 			// Obligations
126 			ObligationsTypeImplBuilder obligationsBuilder = (ObligationsTypeImplBuilder)builderFactory.getBuilder(ObligationsType.DEFAULT_ELEMENT_QNAME);
127 			ObligationsType obligations = obligationsBuilder.buildObject();
128 			obligations.getObligations().add(obligation);
129 	
130 			// Result
131 			ResultTypeImplBuilder resultBuilder = (ResultTypeImplBuilder)builderFactory.getBuilder(ResultType.DEFAULT_ELEMENT_NAME);
132 			ResultType result = resultBuilder.buildObject();
133 			result.setStatus(status);
134 			result.setDecision(decision);
135 			result.setObligations(obligations);
136 	
137 			// Response      
138 			ResponseTypeImplBuilder responseBuilder = (ResponseTypeImplBuilder)builderFactory.getBuilder(ResponseType.DEFAULT_ELEMENT_NAME);
139 			ResponseType response = responseBuilder.buildObject();
140 			response.setResult(result);
141 	
142 			// Statement
143 			XACMLAuthzDecisionStatementTypeImplBuilder xacmlauthzBuilder = (XACMLAuthzDecisionStatementTypeImplBuilder)builderFactory.getBuilder(XACMLAuthzDecisionStatementType.TYPE_NAME_XACML20);
144 			XACMLAuthzDecisionStatementType xacmlAuthzStatement = xacmlauthzBuilder.buildObject( Statement.DEFAULT_ELEMENT_NAME, XACMLAuthzDecisionStatementType.TYPE_NAME_XACML20);	
145 			if (xacmlQuery.getReturnContextXSBooleanValue() != null && xacmlQuery.getReturnContextXSBooleanValue().getValue()) 
146 			{
147 				request.detach();
148 				xacmlAuthzStatement.setRequest(request);
149 			}
150 			xacmlAuthzStatement.setResponse(response);
151 
152 			return xacmlAuthzStatement;
153 		} catch (Exception e1) {
154 			statusCode.setValue(ERROR);
155 			log.debug(e1.getMessage());
156 			throw e1;
157 		}
158 	}
159 
160 	private String getSubjectAttributeValue(RequestType request, String attributeId) {
161 		List<SubjectType> subjectList = request.getSubjects();
162 		for(SubjectType subject : subjectList) {
163 			List<AttributeType> attributeList = subject.getAttributes();
164 			for(AttributeType attribute : attributeList) {
165 				String curAttributeId = attribute.getAttributeID();
166 				if (attributeId.equals(curAttributeId)) {
167 					List<AttributeValueType> attributeValueList = attribute.getAttributeValues();
168 					for(AttributeValueType attributeValue : attributeValueList) {
169 						return ((AttributeValueTypeImpl)attributeValue).getValue();
170 					}
171 				}
172 			}
173 		}  
174 		return null;
175 	}
176 
177 	private String getResourceAttributeValue(RequestType request, String attributeId) {
178 		List<ResourceType> resourceList = request.getResources();
179 		for(ResourceType resource : resourceList) {
180 			List<AttributeType> attributeList = resource.getAttributes();
181 			for(AttributeType attribute : attributeList) {
182 				String curAttributeId = attribute.getAttributeID();
183 				if (attributeId.equals(curAttributeId)) {
184 					List<AttributeValueType> attributeValueList = attribute.getAttributeValues();
185 					for(AttributeValueType attributeValue : attributeValueList) {
186 						return ((AttributeValueTypeImpl)attributeValue).getValue();
187 					}
188 				}
189 			}
190 		}  
191 		return null;
192 	}
193 }