KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > ejbca > core > model > authorization > AvailableAccessRules


1 /*************************************************************************
2  * *
3  * EJBCA: The OpenSource Certificate Authority *
4  * *
5  * This software is free software; you can redistribute it and/or *
6  * modify it under the terms of the GNU Lesser General Public *
7  * License as published by the Free Software Foundation; either *
8  * version 2.1 of the License, or any later version. *
9  * *
10  * See terms of license at gnu.org. *
11  * *
12  *************************************************************************/

13  
14 package org.ejbca.core.model.authorization;
15
16 import java.util.ArrayList JavaDoc;
17 import java.util.Collection JavaDoc;
18 import java.util.HashSet JavaDoc;
19 import java.util.Iterator JavaDoc;
20
21 import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocal;
22 import org.ejbca.core.model.SecConst;
23 import org.ejbca.core.model.log.Admin;
24 import org.ejbca.core.model.ra.raadmin.GlobalConfiguration;
25
26 /**
27  *
28  *
29  * @version $Id: AvailableAccessRules.java,v 1.6 2006/10/26 11:04:12 herrvendil Exp $
30  */

31 public class AvailableAccessRules {
32         
33         // Available end entity profile authorization rules.
34
public static final String JavaDoc VIEW_RIGHTS = "/view_end_entity";
35     public static final String JavaDoc EDIT_RIGHTS = "/edit_end_entity";
36     public static final String JavaDoc CREATE_RIGHTS = "/create_end_entity";
37     public static final String JavaDoc DELETE_RIGHTS = "/delete_end_entity";
38     public static final String JavaDoc REVOKE_RIGHTS = "/revoke_end_entity";
39     public static final String JavaDoc HISTORY_RIGHTS = "/view_end_entity_history";
40     public static final String JavaDoc APPROVAL_RIGHTS = "/approve_end_entity";
41
42     public static final String JavaDoc HARDTOKEN_RIGHTS = "/view_hardtoken";
43
44     public static final String JavaDoc KEYRECOVERY_RIGHTS = "/keyrecovery";
45     
46         // Endings used in profile authorizxation.
47
public static final String JavaDoc[] ENDENTITYPROFILE_ENDINGS = {VIEW_RIGHTS,EDIT_RIGHTS,CREATE_RIGHTS,DELETE_RIGHTS,REVOKE_RIGHTS,HISTORY_RIGHTS,APPROVAL_RIGHTS};
48     
49         // Name of end entity profile prefix directory in authorization module.
50
public static final String JavaDoc ENDENTITYPROFILEBASE = "/endentityprofilesrules";
51     public static final String JavaDoc ENDENTITYPROFILEPREFIX = "/endentityprofilesrules/";
52
53
54         // Name of ca prefix directory in access rules.
55
public static final String JavaDoc CABASE = "/ca";
56     public static final String JavaDoc CAPREFIX = "/ca/";
57
58     public static final String JavaDoc ROLE_PUBLICWEBUSER = "/public_web_user";
59     public static final String JavaDoc ROLE_ADMINISTRATOR = "/administrator";
60     public static final String JavaDoc ROLE_SUPERADMINISTRATOR = "/super_administrator";
61     
62     
63     public static final String JavaDoc REGULAR_CAFUNCTIONALTY = "/ca_functionality";
64     public static final String JavaDoc REGULAR_CABASICFUNCTIONS = "/ca_functionality/basic_functions";
65     public static final String JavaDoc REGULAR_ACTIVATECA = "/ca_functionality/basic_functions/activate_ca";
66     public static final String JavaDoc REGULAR_VIEWCERTIFICATE = "/ca_functionality/view_certificate";
67     public static final String JavaDoc REGULAR_APPROVECAACTION = "/ca_functionality/approve_caaction";
68     public static final String JavaDoc REGULAR_CREATECRL = "/ca_functionality/create_crl";
69     public static final String JavaDoc REGULAR_EDITCERTIFICATEPROFILES = "/ca_functionality/edit_certificate_profiles";
70     public static final String JavaDoc REGULAR_CREATECERTIFICATE = "/ca_functionality/create_certificate";
71     public static final String JavaDoc REGULAR_STORECERTIFICATE = "/ca_functionality/store_certificate";
72     public static final String JavaDoc REGULAR_RAFUNCTIONALITY = "/ra_functionality";
73     public static final String JavaDoc REGULAR_EDITENDENTITYPROFILES = "/ra_functionality/edit_end_entity_profiles";
74     public static final String JavaDoc REGULAR_EDITUSERDATASOURCES = "/ra_functionality/edit_user_data_sources";
75     public static final String JavaDoc REGULAR_VIEWENDENTITY = "/ra_functionality/view_end_entity";
76     public static final String JavaDoc REGULAR_CREATEENDENTITY = "/ra_functionality/create_end_entity";
77     public static final String JavaDoc REGULAR_EDITENDENTITY = "/ra_functionality/edit_end_entity";
78     public static final String JavaDoc REGULAR_DELETEENDENTITY = "/ra_functionality/delete_end_entity";
79     public static final String JavaDoc REGULAR_REVOKEENDENTITY = "/ra_functionality/revoke_end_entity";
80     public static final String JavaDoc REGULAR_VIEWENDENTITYHISTORY = "/ra_functionality/view_end_entity_history";
81     public static final String JavaDoc REGULAR_APPROVEENDENTITY = "/ra_functionality/approve_end_entity";
82     public static final String JavaDoc REGULAR_LOGFUNCTIONALITY = "/log_functionality";
83     public static final String JavaDoc REGULAR_VIEWLOG = "/log_functionality/view_log";
84     public static final String JavaDoc REGULAR_LOGCONFIGURATION = "/log_functionality/edit_log_configuration";
85     public static final String JavaDoc REGULAR_SYSTEMFUNCTIONALITY = "/system_functionality";
86     public static final String JavaDoc REGULAR_EDITADMINISTRATORPRIVILEDGES = "/system_functionality/edit_administrator_privileges";
87     public static final String JavaDoc REGULAR_EDITSYSTEMCONFIGURATION = "/system_functionality/edit_systemconfiguration";
88     
89     public static final String JavaDoc REGULAR_VIEWHARDTOKENS = "/ra_functionality" + HARDTOKEN_RIGHTS;
90     public static final String JavaDoc REGULAR_KEYRECOVERY = "/ra_functionality" + KEYRECOVERY_RIGHTS;
91         
92     public static final String JavaDoc HARDTOKEN_HARDTOKENFUNCTIONALITY = "/hardtoken_functionality";
93     public static final String JavaDoc HARDTOKEN_EDITHARDTOKENISSUERS = "/hardtoken_functionality/edit_hardtoken_issuers";
94     public static final String JavaDoc HARDTOKEN_EDITHARDTOKENPROFILES = "/hardtoken_functionality/edit_hardtoken_profiles";
95     public static final String JavaDoc HARDTOKEN_ISSUEHARDTOKENS = "/hardtoken_functionality/issue_hardtokens";
96     public static final String JavaDoc HARDTOKEN_ISSUEHARDTOKENADMINISTRATORS = "/hardtoken_functionality/issue_hardtoken_administrators";
97     
98         // Standard Regular Access Rules
99
private final String JavaDoc[] STANDARDREGULARACCESSRULES = {REGULAR_CAFUNCTIONALTY,
100                                                            REGULAR_CABASICFUNCTIONS,
101                                                            REGULAR_ACTIVATECA,
102                                                            REGULAR_VIEWCERTIFICATE,
103                                                            REGULAR_CREATECRL,
104                                                            REGULAR_EDITCERTIFICATEPROFILES,
105                                                            REGULAR_CREATECERTIFICATE,
106                                                            REGULAR_STORECERTIFICATE,
107                                                            REGULAR_APPROVECAACTION,
108                                                            REGULAR_RAFUNCTIONALITY,
109                                                            REGULAR_EDITENDENTITYPROFILES,
110                                                            REGULAR_EDITUSERDATASOURCES,
111                                                            REGULAR_VIEWENDENTITY,
112                                                            REGULAR_CREATEENDENTITY,
113                                                            REGULAR_EDITENDENTITY,
114                                                            REGULAR_DELETEENDENTITY,
115                                                            REGULAR_REVOKEENDENTITY,
116                                                            REGULAR_VIEWENDENTITYHISTORY,
117                                                            REGULAR_APPROVEENDENTITY,
118                                                            REGULAR_LOGFUNCTIONALITY,
119                                                            REGULAR_VIEWLOG,
120                                                            REGULAR_LOGCONFIGURATION,
121                                                            REGULAR_SYSTEMFUNCTIONALITY,
122                                                            REGULAR_EDITADMINISTRATORPRIVILEDGES,
123                                                            REGULAR_EDITSYSTEMCONFIGURATION};
124                                                        
125         // Role Access Rules
126
public static final String JavaDoc[] ROLEACCESSRULES = { ROLE_PUBLICWEBUSER,
127                                                                                           ROLE_ADMINISTRATOR,
128                                                                                           ROLE_SUPERADMINISTRATOR};
129     
130                                                        
131     
132     
133     public static final String JavaDoc[] VIEWLOGACCESSRULES = { "/log_functionality/view_log/ca_entries",
134                                                           "/log_functionality/view_log/ra_entries",
135                                                           "/log_functionality/view_log/log_entries",
136                                                           "/log_functionality/view_log/publicweb_entries",
137                                                           "/log_functionality/view_log/adminweb_entries",
138                                                           "/log_functionality/view_log/hardtoken_entries",
139                                                           "/log_functionality/view_log/keyrecovery_entries",
140                                                           "/log_functionality/view_log/authorization_entries",
141                                                           "/log_functionality/view_log/approval_entries",
142                                                           "/log_functionality/view_log/services_entries",
143                                                           };
144                                                         
145         // Hard Token specific accessrules used in authorization module.
146
public static final String JavaDoc[] HARDTOKENACCESSRULES =
147           {HARDTOKEN_HARDTOKENFUNCTIONALITY,
148             HARDTOKEN_EDITHARDTOKENISSUERS,
149             HARDTOKEN_EDITHARDTOKENPROFILES,
150             HARDTOKEN_ISSUEHARDTOKENS,
151             HARDTOKEN_ISSUEHARDTOKENADMINISTRATORS};
152     
153
154                                                         
155                                                         
156     /** Creates a new instance of AvailableAccessRules */
157     public AvailableAccessRules(Admin admin, Authorizer authorizer, IRaAdminSessionLocal raadminsession, String JavaDoc[] customaccessrules) {
158       // Initialize
159
this.raadminsession = raadminsession;
160       this.authorizer = authorizer;
161       
162       // Get Global Configuration
163
GlobalConfiguration globalconfiguration = raadminsession.loadGlobalConfiguration(admin);
164       enableendentityprofilelimitations = globalconfiguration.getEnableEndEntityProfileLimitations();
165       usehardtokenissuing = globalconfiguration.getIssueHardwareTokens();
166       usekeyrecovery = globalconfiguration.getEnableKeyRecovery();
167       
168       // Is Admin SuperAdministrator.
169
try{
170         issuperadministrator = authorizer.isAuthorizedNoLog(admin, "/super_administrator");
171       }catch(AuthorizationDeniedException e){
172         issuperadministrator=false;
173       }
174       
175       // Get CA:s
176
authorizedcaids = new HashSet JavaDoc();
177       authorizedcaids.addAll(authorizer.getAuthorizedCAIds(admin));
178       
179       this.customaccessrules= customaccessrules;
180     }
181     
182     // Public methods
183
/** Returns all the accessrules and subaccessrules from the given subresource */
184     public Collection JavaDoc getAvailableAccessRules(Admin admin){
185       ArrayList JavaDoc accessrules = new ArrayList JavaDoc();
186       
187       
188       insertAvailableRoleAccessRules(accessrules);
189       
190       insertAvailableRegularAccessRules(admin, accessrules);
191       
192       if(enableendentityprofilelimitations)
193         insertAvailableEndEntityProfileAccessRules(admin, accessrules);
194
195       insertAvailableCAAccessRules(accessrules);
196       
197       insertCustomAccessRules(admin, accessrules);
198       
199       
200       return accessrules;
201     }
202    
203     // Private methods
204
/**
205      * Method that adds all authorized role based access rules.
206      */

207     private void insertAvailableRoleAccessRules(ArrayList JavaDoc accessrules){
208         
209       accessrules.add(ROLEACCESSRULES[0]);
210       accessrules.add(ROLEACCESSRULES[1]);
211         
212       if(issuperadministrator)
213         accessrules.add(ROLEACCESSRULES[2]);
214       
215     }
216
217     /**
218      * Method that adds all regular access rules.
219      */

220     
221     private void insertAvailableRegularAccessRules(Admin admin, ArrayList JavaDoc accessrules) {
222        
223       // Insert Standard Access Rules.
224
for(int i=0; i < STANDARDREGULARACCESSRULES.length; i++){
225          addAuthorizedAccessRule(admin, STANDARDREGULARACCESSRULES[i], accessrules);
226       }
227       for(int i=0; i < VIEWLOGACCESSRULES.length; i++){
228          addAuthorizedAccessRule(admin, VIEWLOGACCESSRULES[i], accessrules);
229       }
230       
231         
232       if(usehardtokenissuing){
233         for(int i=0; i < HARDTOKENACCESSRULES.length;i++){
234            accessrules.add(HARDTOKENACCESSRULES[i]);
235         }
236         addAuthorizedAccessRule(admin, REGULAR_VIEWHARDTOKENS, accessrules);
237       }
238         
239       if(usekeyrecovery)
240          addAuthorizedAccessRule(admin, REGULAR_KEYRECOVERY, accessrules);
241       
242     }
243     
244     
245     /**
246      * Method that adds all authorized access rules conserning end entity profiles.
247      */

248     private void insertAvailableEndEntityProfileAccessRules(Admin admin, ArrayList JavaDoc accessrules){
249         
250         // Add most basic rule if authorized to it.
251
try{
252           authorizer.isAuthorizedNoLog(admin, ENDENTITYPROFILEBASE);
253           accessrules.add(ENDENTITYPROFILEBASE);
254         }catch(AuthorizationDeniedException e){
255           // Add it to superadministrator anyway
256
if(issuperadministrator)
257                    accessrules.add(ENDENTITYPROFILEBASE);
258         }
259         
260         
261         // Add all authorized End Entity Profiles
262
Iterator JavaDoc iter = raadminsession.getAuthorizedEndEntityProfileIds(admin).iterator();
263         while(iter.hasNext()){
264             
265             int profileid = ((Integer JavaDoc) iter.next()).intValue();
266             
267             // Do not add empty profile, since only superadministrator should have access to it.
268
if(profileid != SecConst.EMPTY_ENDENTITYPROFILE){
269               // Administrator is authorized to this End Entity Profile, add it.
270
try{
271                   authorizer.isAuthorizedNoLog(admin, ENDENTITYPROFILEPREFIX + profileid);
272                   addEndEntityProfile( profileid, accessrules);
273                 }catch(AuthorizationDeniedException e){}
274             }
275             
276         }
277     }
278     
279     /**
280      * Help Method for insertAvailableEndEntityProfileAccessRules.
281      */

282     private void addEndEntityProfile(int profileid, ArrayList JavaDoc accessrules){
283       accessrules.add(ENDENTITYPROFILEPREFIX + profileid);
284       for(int j=0;j < ENDENTITYPROFILE_ENDINGS.length; j++){
285         accessrules.add(ENDENTITYPROFILEPREFIX + profileid +ENDENTITYPROFILE_ENDINGS[j]);
286       }
287       if(usehardtokenissuing)
288         accessrules.add(ENDENTITYPROFILEPREFIX + profileid + HARDTOKEN_RIGHTS);
289       if(usekeyrecovery)
290         accessrules.add(ENDENTITYPROFILEPREFIX + profileid + KEYRECOVERY_RIGHTS);
291     }
292       
293     /**
294      * Method that adds all authorized CA access rules.
295      */

296     private void insertAvailableCAAccessRules(ArrayList JavaDoc accessrules){
297       // Add All Authorized CAs
298
if(issuperadministrator)
299         accessrules.add(CABASE);
300       Iterator JavaDoc iter = authorizedcaids.iterator();
301       while(iter.hasNext()){
302         accessrules.add(CAPREFIX + ((Integer JavaDoc) iter.next()).intValue());
303       }
304     }
305     
306     /**
307      * Method that adds the custom available access rules.
308      */

309     private void insertCustomAccessRules(Admin admin, ArrayList JavaDoc accessrules){
310       for(int i=0; i < customaccessrules.length; i++){
311         if(!customaccessrules[i].trim().equals(""))
312           addAuthorizedAccessRule(admin, customaccessrules[i].trim(), accessrules);
313       }
314     }
315     
316     /**
317      * Method that checks if administrator himself is authorized to access rule, and if so adds it to list.
318      */

319     private void addAuthorizedAccessRule(Admin admin, String JavaDoc accessrule, ArrayList JavaDoc accessrules){
320       try{
321         authorizer.isAuthorizedNoLog(admin, accessrule);
322         accessrules.add(accessrule);
323       }catch(AuthorizationDeniedException e){
324       }
325     }
326     
327    
328     // Private fields
329
private Authorizer authorizer;
330     private IRaAdminSessionLocal raadminsession;
331     private boolean issuperadministrator;
332     private boolean enableendentityprofilelimitations;
333     private boolean usehardtokenissuing;
334     private boolean usekeyrecovery;
335     private HashSet JavaDoc authorizedcaids;
336     private String JavaDoc[] customaccessrules;
337     
338    
339 }
340
Popular Tags