1 13 14 package org.ejbca.core.model.authorization; 15 16 import java.security.cert.X509Certificate ; 17 import java.util.ArrayList ; 18 import java.util.Collection ; 19 import java.util.Iterator ; 20 21 import org.ejbca.core.ejb.authorization.AdminGroupDataLocalHome; 22 import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocal; 23 import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocal; 24 import org.ejbca.core.ejb.log.ILogSessionLocal; 25 import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocal; 26 import org.ejbca.core.model.ca.crl.RevokedCertInfo; 27 import org.ejbca.core.model.log.Admin; 28 import org.ejbca.core.model.log.LogConstants; 29 import org.ejbca.core.model.log.LogEntry; 30 import org.ejbca.util.CertTools; 31 32 39 public class Authorizer extends Object implements java.io.Serializable { 40 41 42 43 44 public Authorizer(Collection admingroups, AdminGroupDataLocalHome admingrouphome, 45 ILogSessionLocal logsession, ICertificateStoreSessionLocal certificatestoresession, 46 IRaAdminSessionLocal raadminsession, ICAAdminSessionLocal caadminsession, Admin admin, int module) { 47 accesstree = new AccessTree(); 48 authorizationproxy = new AuthorizationProxy(admingrouphome, accesstree); 49 buildAccessTree(admingroups); 50 this.logsession = logsession; 51 this.module=module; 52 this.certificatesession = certificatestoresession; 53 this.raadminsession = raadminsession; 54 this.caadminsession = caadminsession; 55 } 56 57 59 67 public boolean isAuthorized(Admin admin, String resource) throws AuthorizationDeniedException { 68 69 if(admin == null) 70 throw new AuthorizationDeniedException("Administrator not authorized to resource : " + resource); 71 72 AdminInformation admininformation = admin.getAdminInformation(); 73 74 if(!authorizationproxy.isAuthorized(admininformation, resource) && !authorizationproxy.isAuthorized(admininformation, "/super_administrator")){ 75 if(!admininformation.isSpecialUser()) { 76 logsession.log(admin, admininformation.getX509Certificate(), module, new java.util.Date (),null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Resource : " + resource); 77 } else { 78 logsession.log(admin, LogConstants.INTERNALCAID, module, new java.util.Date (),null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Resource : " + resource); 79 } 80 throw new AuthorizationDeniedException("Administrator not authorized to resource : " + resource); 81 } 82 if(!admininformation.isSpecialUser()) { 83 logsession.log(admin,admininformation.getX509Certificate(), module, new java.util.Date (),null, null, LogEntry.EVENT_INFO_AUTHORIZEDTORESOURCE,"Resource : " + resource); 84 } else { 85 logsession.log(admin, LogConstants.INTERNALCAID, module, new java.util.Date (),null, null, LogEntry.EVENT_INFO_AUTHORIZEDTORESOURCE,"Resource : " + resource); 86 } 87 88 return true; 89 } 90 91 92 100 public boolean isAuthorizedNoLog(Admin admin, String resource) throws AuthorizationDeniedException { 101 if(admin == null) 102 throw new AuthorizationDeniedException("Administrator not authorized to resource : " + resource); 103 104 if(!authorizationproxy.isAuthorized(admin.getAdminInformation(), resource) && !authorizationproxy.isAuthorized(admin.getAdminInformation(), "/super_administrator")){ 106 throw new AuthorizationDeniedException("Administrator not authorized to resource : " + resource); 107 } 108 return true; 109 } 110 111 119 public boolean isGroupAuthorized(Admin admin, int pk, String resource) throws AuthorizationDeniedException { 120 if(admin == null) 121 throw new AuthorizationDeniedException("Administrator group not authorized to resource : " + resource); 122 123 AdminInformation admininformation = admin.getAdminInformation(); 124 125 if(!authorizationproxy.isGroupAuthorized(admininformation, pk, resource)){ 126 if(!admininformation.isSpecialUser()) { 127 logsession.log(admin, admininformation.getX509Certificate(), module, new java.util.Date (),null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Adminstrator group not authorized to resource : " + resource); 128 } else { 129 logsession.log(admin, LogConstants.INTERNALCAID, module, new java.util.Date (),null, null, LogEntry.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,"Adminstrator group not authorized to resource : " + resource); 130 } 131 throw new AuthorizationDeniedException("Administrator group not authorized to resource : " + resource); 132 } 133 if(!admininformation.isSpecialUser()) { 134 logsession.log(admin,admininformation.getX509Certificate(), module, new java.util.Date (),null, null, LogEntry.EVENT_INFO_AUTHORIZEDTORESOURCE,"Adminstrator group not authorized to resource : " + resource); 135 } else { 136 logsession.log(admin, LogConstants.INTERNALCAID, module, new java.util.Date (),null, null, LogEntry.EVENT_INFO_AUTHORIZEDTORESOURCE,"Adminstrator group not authorized to resource : " + resource); 137 } 138 139 return true; 140 } 141 142 143 151 public boolean isGroupAuthorizedNoLog(Admin admin, int pk, String resource) throws AuthorizationDeniedException { 152 if(admin == null) 153 throw new AuthorizationDeniedException("Administrator group not authorized to resource : " + resource); 154 155 if(!authorizationproxy.isGroupAuthorized(admin.getAdminInformation(), pk, resource)) { 157 throw new AuthorizationDeniedException("Administrator group not authorized to resource : " + resource); 158 } 159 return true; 160 } 161 162 163 164 170 public void authenticate(X509Certificate certificate) throws AuthenticationFailedException { 171 172 try{ 174 certificate.checkValidity(); 175 }catch(Exception e){ 176 throw new AuthenticationFailedException("Your certificates vality has expired."); 177 } 178 179 194 RevokedCertInfo revinfo = certificatesession.isRevoked(new Admin(certificate), CertTools.getIssuerDN(certificate),certificate.getSerialNumber()); 196 if (revinfo == null) { 197 throw new AuthenticationFailedException("Your certificate cannot be found in database."); 199 } else if (revinfo.getReason() != RevokedCertInfo.NOT_REVOKED) { 200 throw new AuthenticationFailedException("Your certificate have been revoked."); 202 } 203 } 204 205 209 210 public Collection getAuthorizedCAIds(Admin admin){ 211 ArrayList returnval = new ArrayList (); 212 Iterator iter = caadminsession.getAvailableCAs(admin).iterator(); 213 214 while(iter.hasNext()){ 215 Integer caid = (Integer ) iter.next(); 216 try{ 217 isAuthorizedNoLog(admin, AvailableAccessRules.CAPREFIX + caid.toString()); 218 returnval.add(caid); 219 }catch(AuthorizationDeniedException e){} 220 } 221 return returnval; 222 } 223 224 231 232 public Collection getAuthorizedEndEntityProfileIds(Admin admin, String rapriviledge){ 233 ArrayList returnval = new ArrayList (); 234 Iterator iter = raadminsession.getEndEntityProfileIdToNameMap(admin).keySet().iterator(); 235 236 while(iter.hasNext()){ 237 Integer profileid = (Integer ) iter.next(); 238 try{ 239 isAuthorizedNoLog(admin, AvailableAccessRules.ENDENTITYPROFILEPREFIX + profileid + rapriviledge); 240 returnval.add(profileid); 241 }catch(AuthorizationDeniedException e){} 242 243 } 244 245 return returnval; 246 } 247 248 249 public void buildAccessTree(Collection admingroups){ 250 accesstree.buildTree(admingroups); 251 authorizationproxy.clear(); 252 } 253 254 256 257 private AccessTree accesstree; 259 private int module; 260 261 private ICertificateStoreSessionLocal certificatesession; 262 private ILogSessionLocal logsession; 263 private IRaAdminSessionLocal raadminsession; 264 private ICAAdminSessionLocal caadminsession; 265 private AuthorizationProxy authorizationproxy; 266 } 267 | Popular Tags |