1
2
3
4
5
6
7 package gov.bnl.gums.service;
8
9 import java.util.List;
10
11 import org.apache.log4j.Logger;
12
13 import gov.bnl.gums.admin.GUMSAPI;
14 import gov.bnl.gums.admin.GUMSAPIImpl;
15
16 import org.opensaml.saml2.core.Statement;
17 import org.opensaml.xml.XMLObjectBuilderFactory;
18 import org.opensaml.xacml.ctx.RequestType;
19 import org.opensaml.xacml.ctx.DecisionType;
20 import org.opensaml.xacml.ctx.ResponseType;
21 import org.opensaml.xacml.ctx.StatusType;
22 import org.opensaml.xacml.ctx.StatusCodeType;
23 import org.opensaml.xacml.ctx.SubjectType;
24 import org.opensaml.xacml.ctx.ResultType;
25 import org.opensaml.xacml.ctx.ResourceType;
26 import org.opensaml.xacml.ctx.AttributeType;
27 import org.opensaml.xacml.ctx.AttributeValueType;
28 import org.opensaml.xacml.ctx.impl.DecisionTypeImplBuilder;
29 import org.opensaml.xacml.ctx.impl.StatusCodeTypeImplBuilder;
30 import org.opensaml.xacml.ctx.impl.StatusTypeImplBuilder;
31 import org.opensaml.xacml.ctx.impl.ResultTypeImplBuilder;
32 import org.opensaml.xacml.ctx.impl.ResponseTypeImplBuilder;
33 import org.opensaml.xacml.ctx.impl.AttributeValueTypeImpl;
34 import org.opensaml.xacml.policy.AttributeAssignmentType;
35 import org.opensaml.xacml.policy.EffectType;
36 import org.opensaml.xacml.policy.ObligationsType;
37 import org.opensaml.xacml.policy.ObligationType;
38 import org.opensaml.xacml.policy.impl.AttributeAssignmentTypeImplBuilder;
39 import org.opensaml.xacml.policy.impl.ObligationTypeImplBuilder;
40 import org.opensaml.xacml.policy.impl.ObligationsTypeImplBuilder;
41 import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
42 import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionStatementType;
43 import org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeImplBuilder;
44
45 import org.opensciencegrid.authz.xacml.service.XACMLMappingService;
46 import org.opensciencegrid.authz.xacml.common.XACMLConstants;
47
48 public class GUMSXACMLMappingServiceImpl implements XACMLMappingService {
49 private static String ERROR = "http://oasis/names/tc/xacml/1.0/status/error";
50 private static String OK = "http://oasis/names/tc/xacml/1.0/status/ok";
51 private Logger log = Logger.getLogger(GUMSXACMLMappingServiceImpl.class);
52 private static GUMSAPI gums = new GUMSAPIImpl();
53
54 public XACMLAuthzDecisionStatementType mapCredentials(XACMLAuthzDecisionQueryType xacmlQuery) throws Exception {
55 XMLObjectBuilderFactory builderFactory = org.opensaml.xml.Configuration.getBuilderFactory();
56
57
58 RequestType request = xacmlQuery.getRequest();
59 String hostDn = getResourceAttributeValue(request, XACMLConstants.RESOURCE_X509_ID);
60 String userDn = getSubjectAttributeValue(request, XACMLConstants.SUBJECT_X509_ID);
61 String userFqan = getSubjectAttributeValue(request, XACMLConstants.SUBJECT_VOMS_PRIMARY_FQAN_ID);
62
63 if (hostDn==null || hostDn.length()==0) {
64 log.debug("missing attribute: "+XACMLConstants.RESOURCE_X509_ID);
65 throw new Exception("missing attribute: "+XACMLConstants.RESOURCE_X509_ID);
66 }
67 if (userDn==null || userDn.length()==0) {
68 log.debug("missing attribute: "+XACMLConstants.SUBJECT_X509_ID);
69 throw new Exception("missing attribute: "+XACMLConstants.SUBJECT_X509_ID);
70 }
71
72
73
74
75
76
77 AttributeAssignmentType attributeAssignment = null;
78 DecisionTypeImplBuilder decisionBuilder = (DecisionTypeImplBuilder)builderFactory.getBuilder(DecisionType.DEFAULT_ELEMENT_NAME);
79 DecisionType decision = decisionBuilder.buildObject();
80 StatusCodeTypeImplBuilder statusCodeBuilder = (StatusCodeTypeImplBuilder)builderFactory.getBuilder(StatusCodeType.DEFAULT_ELEMENT_NAME);
81 StatusCodeType statusCode = statusCodeBuilder.buildObject();
82 statusCode.setValue(OK);
83 try {
84 log.debug("Checking access on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "'");
85 String account = gums.mapUser(hostDn, userDn, userFqan);
86 if (account == null) {
87 decision.setDecision(DecisionType.DECISION.Deny);
88
89 log.debug("Denied access on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "'");
90 }
91 else {
92 AttributeAssignmentTypeImplBuilder attributeAssignmentBuilder = (AttributeAssignmentTypeImplBuilder)builderFactory.getBuilder(AttributeAssignmentType.DEFAULT_ELEMENT_NAME);
93 attributeAssignment = attributeAssignmentBuilder.buildObject();
94 attributeAssignment.setAttributeId(XACMLConstants.ATTRIBUTE_USERNAME_ID);
95 attributeAssignment.setDataType(XACMLConstants.STRING_DATATYPE);
96 attributeAssignment.setValue(account);
97
98 decision.setDecision(DecisionType.DECISION.Permit);
99
100 log.debug("Credentials mapped on '" + hostDn + "' for '" + userDn + "' with fqan '" + userFqan + "' to '" + account + "'");
101 }
102 } catch (Exception e1) {
103 statusCode.setValue(ERROR);
104 log.debug(e1.getMessage());
105 throw e1;
106 }
107
108 try {
109
110 StatusTypeImplBuilder statusBuilder = (StatusTypeImplBuilder)builderFactory.getBuilder(StatusType.DEFAULT_ELEMENT_NAME);
111 StatusType status = statusBuilder.buildObject();
112 status.setStatusCode(statusCode);
113
114
115 ObligationTypeImplBuilder obligationBuilder = (ObligationTypeImplBuilder)builderFactory.getBuilder(ObligationType.DEFAULT_ELEMENT_QNAME);
116 ObligationType obligation = obligationBuilder.buildObject();
117 obligation.setFulfillOn(EffectType.Permit);
118 obligation.setObligationId(XACMLConstants.OBLIGATION_USERNAME);
119 if (attributeAssignment != null)
120 obligation.getAttributeAssignments().add(attributeAssignment);
121
122
123 ObligationsTypeImplBuilder obligationsBuilder = (ObligationsTypeImplBuilder)builderFactory.getBuilder(ObligationsType.DEFAULT_ELEMENT_QNAME);
124 ObligationsType obligations = obligationsBuilder.buildObject();
125 obligations.getObligations().add(obligation);
126
127
128 ResultTypeImplBuilder resultBuilder = (ResultTypeImplBuilder)builderFactory.getBuilder(ResultType.DEFAULT_ELEMENT_NAME);
129 ResultType result = resultBuilder.buildObject();
130 result.setStatus(status);
131 result.setDecision(decision);
132 result.setObligations(obligations);
133
134
135 ResponseTypeImplBuilder responseBuilder = (ResponseTypeImplBuilder)builderFactory.getBuilder(ResponseType.DEFAULT_ELEMENT_NAME);
136 ResponseType response = responseBuilder.buildObject();
137 response.setResult(result);
138
139
140 XACMLAuthzDecisionStatementTypeImplBuilder xacmlauthzBuilder = (XACMLAuthzDecisionStatementTypeImplBuilder)builderFactory.getBuilder(XACMLAuthzDecisionStatementType.TYPE_NAME_XACML20);
141 XACMLAuthzDecisionStatementType xacmlAuthzStatement = xacmlauthzBuilder.buildObject( Statement.DEFAULT_ELEMENT_NAME, XACMLAuthzDecisionStatementType.TYPE_NAME_XACML20);
142 if (xacmlQuery.getReturnContextXSBooleanValue() != null && xacmlQuery.getReturnContextXSBooleanValue().getValue())
143 {
144 request.detach();
145 xacmlAuthzStatement.setRequest(request);
146 }
147 xacmlAuthzStatement.setResponse(response);
148
149 return xacmlAuthzStatement;
150 } catch (Exception e1) {
151 statusCode.setValue(ERROR);
152 log.debug(e1.getMessage());
153 throw e1;
154 }
155 }
156
157 private String getSubjectAttributeValue(RequestType request, String attributeId) {
158 List<SubjectType> subjectList = request.getSubjects();
159 for(SubjectType subject : subjectList) {
160 List<AttributeType> attributeList = subject.getAttributes();
161 for(AttributeType attribute : attributeList) {
162 String curAttributeId = attribute.getAttributeID();
163 if (attributeId.equals(curAttributeId)) {
164 List<AttributeValueType> attributeValueList = attribute.getAttributeValues();
165 for(AttributeValueType attributeValue : attributeValueList) {
166 return ((AttributeValueTypeImpl)attributeValue).getValue();
167 }
168 }
169 }
170 }
171 return null;
172 }
173
174 private String getResourceAttributeValue(RequestType request, String attributeId) {
175 List<ResourceType> resourceList = request.getResources();
176 for(ResourceType resource : resourceList) {
177 List<AttributeType> attributeList = resource.getAttributes();
178 for(AttributeType attribute : attributeList) {
179 String curAttributeId = attribute.getAttributeID();
180 if (attributeId.equals(curAttributeId)) {
181 List<AttributeValueType> attributeValueList = attribute.getAttributeValues();
182 for(AttributeValueType attributeValue : attributeValueList) {
183 return ((AttributeValueTypeImpl)attributeValue).getValue();
184 }
185 }
186 }
187 }
188 return null;
189 }
190 }