GUMSXACMLMappingServiceImpl xref

View Javadoc

1   /*
2    * GUMSAuthZServiceImpl.java
3    *
4    * Created on January 5, 2005, 6:04 PM
5    */
6   
7   package gov.bnl.gums.service;
8   
9   import java.util.List;
10  
11  import org.apache.log4j.Logger;
12  
13  import gov.bnl.gums.admin.GUMSAPI;
14  import gov.bnl.gums.admin.GUMSAPIImpl;
15  
16  import org.opensaml.saml2.core.Statement;
17  import org.opensaml.xml.XMLObjectBuilderFactory;
18  import org.opensaml.xacml.ctx.RequestType;
19  import org.opensaml.xacml.ctx.DecisionType;
20  import org.opensaml.xacml.ctx.ResponseType;
21  import org.opensaml.xacml.ctx.StatusType;
22  import org.opensaml.xacml.ctx.StatusCodeType;
23  import org.opensaml.xacml.ctx.SubjectType;
24  import org.opensaml.xacml.ctx.ResultType;
25  import org.opensaml.xacml.ctx.ResourceType;
26  import org.opensaml.xacml.ctx.AttributeType;
27  import org.opensaml.xacml.ctx.AttributeValueType;
28  import org.opensaml.xacml.ctx.impl.DecisionTypeImplBuilder;
29  import org.opensaml.xacml.ctx.impl.StatusCodeTypeImplBuilder;
30  import org.opensaml.xacml.ctx.impl.StatusTypeImplBuilder;
31  import org.opensaml.xacml.ctx.impl.ResultTypeImplBuilder;
32  import org.opensaml.xacml.ctx.impl.ResponseTypeImplBuilder;
33  import org.opensaml.xacml.ctx.impl.AttributeValueTypeImpl;
34  import org.opensaml.xacml.policy.AttributeAssignmentType;
35  import org.opensaml.xacml.policy.EffectType;
36  import org.opensaml.xacml.policy.ObligationsType;
37  import org.opensaml.xacml.policy.ObligationType;
38  import org.opensaml.xacml.policy.impl.AttributeAssignmentTypeImplBuilder;
39  import org.opensaml.xacml.policy.impl.ObligationTypeImplBuilder;
40  import org.opensaml.xacml.policy.impl.ObligationsTypeImplBuilder;
41  import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
42  import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionStatementType;
43  import org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeImplBuilder;
44  
45  import org.opensciencegrid.authz.xacml.service.XACMLMappingService;
46  import org.opensciencegrid.authz.xacml.common.XACMLConstants;
47  
48  public class GUMSXACMLMappingServiceImpl implements XACMLMappingService {
49  	private static String ERROR = "http://oasis/names/tc/xacml/1.0/status/error";
50  	private static String OK = "http://oasis/names/tc/xacml/1.0/status/ok";
51  	private Logger log = Logger.getLogger(GUMSXACMLMappingServiceImpl.class);
52  	private static GUMSAPI gums = new GUMSAPIImpl();
53  
54  	public XACMLAuthzDecisionStatementType mapCredentials(XACMLAuthzDecisionQueryType xacmlQuery) throws Exception {
55  		XMLObjectBuilderFactory builderFactory = org.opensaml.xml.Configuration.getBuilderFactory();
56  
57  		// Get information from request
58  		RequestType request = xacmlQuery.getRequest();
59  		String hostDn = getResourceAttributeValue(request, XACMLConstants.RESOURCE_X509_ID);
60  		String userDn = getSubjectAttributeValue(request, XACMLConstants.SUBJECT_X509_ID);
61  		String userFqan = getSubjectAttributeValue(request, XACMLConstants.SUBJECT_VOMS_PRIMARY_FQAN_ID);
62  		
63  		if (hostDn==null || hostDn.length()==0) {
64  			log.debug("missing attribute: "+XACMLConstants.RESOURCE_X509_ID);
65  			throw new Exception("missing attribute: "+XACMLConstants.RESOURCE_X509_ID);
66  		}
67  		if (userDn==null || userDn.length()==0) {
68  			log.debug("missing attribute: "+XACMLConstants.SUBJECT_X509_ID);
69  			throw new Exception("missing attribute: "+XACMLConstants.SUBJECT_X509_ID);
70  		}
71  		/*if (userFqan==null || userFqan.length()==0) {
72  			log.debug("missing attribute: "+VOMS_FQAN);
73  			throw new Exception("missing attribute: "+VOMS_FQAN);
74  		}*/
75  
76  		// Attribute Assignment, decision, and status code
77  		AttributeAssignmentType attributeAssignment = null;
78  		DecisionTypeImplBuilder decisionBuilder = (DecisionTypeImplBuilder)builderFactory.getBuilder(DecisionType.DEFAULT_ELEMENT_NAME);
79  		DecisionType decision = decisionBuilder.buildObject();
80  		StatusCodeTypeImplBuilder statusCodeBuilder = (StatusCodeTypeImplBuilder)builderFactory.getBuilder(StatusCodeType.DEFAULT_ELEMENT_NAME);
81  		StatusCodeType statusCode = statusCodeBuilder.buildObject();
82  		statusCode.setValue(OK);
83  		try {
84  			log.debug("Checking access on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "'");
85  			String account = gums.mapUser(hostDn, userDn, userFqan);
86  			if (account == null) {
87  				decision.setDecision(DecisionType.DECISION.Deny);
88  				
89  				log.debug("Denied access on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "'");
90  			}
91  			else {
92  				AttributeAssignmentTypeImplBuilder attributeAssignmentBuilder = (AttributeAssignmentTypeImplBuilder)builderFactory.getBuilder(AttributeAssignmentType.DEFAULT_ELEMENT_NAME);
93  				attributeAssignment = attributeAssignmentBuilder.buildObject();
94  				attributeAssignment.setAttributeId(XACMLConstants.ATTRIBUTE_USERNAME_ID);
95  				attributeAssignment.setDataType(XACMLConstants.STRING_DATATYPE);
96  				attributeAssignment.setValue(account);
97  
98  				decision.setDecision(DecisionType.DECISION.Permit);
99  				
100 				log.debug("Credentials mapped on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "' to '" + account + "'");
101 			}
102 		} catch (Exception e1) {
103 			statusCode.setValue(ERROR);
104 			log.debug(e1.getMessage());
105 			throw e1;
106 		}
107 
108 		try {
109 			// Status
110 			StatusTypeImplBuilder statusBuilder = (StatusTypeImplBuilder)builderFactory.getBuilder(StatusType.DEFAULT_ELEMENT_NAME);
111 			StatusType status = statusBuilder.buildObject();
112 			status.setStatusCode(statusCode);
113 	
114 			// Obligation
115 			ObligationTypeImplBuilder obligationBuilder = (ObligationTypeImplBuilder)builderFactory.getBuilder(ObligationType.DEFAULT_ELEMENT_QNAME);
116 			ObligationType obligation = obligationBuilder.buildObject();
117 			obligation.setFulfillOn(EffectType.Permit);
118 			obligation.setObligationId(XACMLConstants.OBLIGATION_USERNAME);
119 			if (attributeAssignment != null)
120 				obligation.getAttributeAssignments().add(attributeAssignment);
121 	
122 			// Obligations
123 			ObligationsTypeImplBuilder obligationsBuilder = (ObligationsTypeImplBuilder)builderFactory.getBuilder(ObligationsType.DEFAULT_ELEMENT_QNAME);
124 			ObligationsType obligations = obligationsBuilder.buildObject();
125 			obligations.getObligations().add(obligation);
126 	
127 			// Result
128 			ResultTypeImplBuilder resultBuilder = (ResultTypeImplBuilder)builderFactory.getBuilder(ResultType.DEFAULT_ELEMENT_NAME);
129 			ResultType result = resultBuilder.buildObject();
130 			result.setStatus(status);
131 			result.setDecision(decision);
132 			result.setObligations(obligations);
133 	
134 			// Response      
135 			ResponseTypeImplBuilder responseBuilder = (ResponseTypeImplBuilder)builderFactory.getBuilder(ResponseType.DEFAULT_ELEMENT_NAME);
136 			ResponseType response = responseBuilder.buildObject();
137 			response.setResult(result);
138 	
139 			// Statement
140 			XACMLAuthzDecisionStatementTypeImplBuilder xacmlauthzBuilder = (XACMLAuthzDecisionStatementTypeImplBuilder)builderFactory.getBuilder(XACMLAuthzDecisionStatementType.TYPE_NAME_XACML20);
141 			XACMLAuthzDecisionStatementType xacmlAuthzStatement = xacmlauthzBuilder.buildObject( Statement.DEFAULT_ELEMENT_NAME, XACMLAuthzDecisionStatementType.TYPE_NAME_XACML20);	
142 			if (xacmlQuery.getReturnContextXSBooleanValue() != null && xacmlQuery.getReturnContextXSBooleanValue().getValue()) 
143 			{
144 				request.detach();
145 				xacmlAuthzStatement.setRequest(request);
146 			}
147 			xacmlAuthzStatement.setResponse(response);
148 
149 			return xacmlAuthzStatement;
150 		} catch (Exception e1) {
151 			statusCode.setValue(ERROR);
152 			log.debug(e1.getMessage());
153 			throw e1;
154 		}
155 	}
156 
157 	private String getSubjectAttributeValue(RequestType request, String attributeId) {
158 		List<SubjectType> subjectList = request.getSubjects();
159 		for(SubjectType subject : subjectList) {
160 			List<AttributeType> attributeList = subject.getAttributes();
161 			for(AttributeType attribute : attributeList) {
162 				String curAttributeId = attribute.getAttributeID();
163 				if (attributeId.equals(curAttributeId)) {
164 					List<AttributeValueType> attributeValueList = attribute.getAttributeValues();
165 					for(AttributeValueType attributeValue : attributeValueList) {
166 						return ((AttributeValueTypeImpl)attributeValue).getValue();
167 					}
168 				}
169 			}
170 		}  
171 		return null;
172 	}
173 
174 	private String getResourceAttributeValue(RequestType request, String attributeId) {
175 		List<ResourceType> resourceList = request.getResources();
176 		for(ResourceType resource : resourceList) {
177 			List<AttributeType> attributeList = resource.getAttributes();
178 			for(AttributeType attribute : attributeList) {
179 				String curAttributeId = attribute.getAttributeID();
180 				if (attributeId.equals(curAttributeId)) {
181 					List<AttributeValueType> attributeValueList = attribute.getAttributeValues();
182 					for(AttributeValueType attributeValue : attributeValueList) {
183 						return ((AttributeValueTypeImpl)attributeValue).getValue();
184 					}
185 				}
186 			}
187 		}  
188 		return null;
189 	}
190 }