1 13 14 package org.ejbca.core.model.authorization; 15 16 import java.util.ArrayList ; 17 import java.util.Collection ; 18 import java.util.HashSet ; 19 import java.util.Iterator ; 20 21 import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocal; 22 import org.ejbca.core.model.SecConst; 23 import org.ejbca.core.model.log.Admin; 24 import org.ejbca.core.model.ra.raadmin.GlobalConfiguration; 25 26 31 public class AvailableAccessRules { 32 33 public static final String VIEW_RIGHTS = "/view_end_entity"; 35 public static final String EDIT_RIGHTS = "/edit_end_entity"; 36 public static final String CREATE_RIGHTS = "/create_end_entity"; 37 public static final String DELETE_RIGHTS = "/delete_end_entity"; 38 public static final String REVOKE_RIGHTS = "/revoke_end_entity"; 39 public static final String HISTORY_RIGHTS = "/view_end_entity_history"; 40 public static final String APPROVAL_RIGHTS = "/approve_end_entity"; 41 42 public static final String HARDTOKEN_RIGHTS = "/view_hardtoken"; 43 44 public static final String KEYRECOVERY_RIGHTS = "/keyrecovery"; 45 46 public static final String [] ENDENTITYPROFILE_ENDINGS = {VIEW_RIGHTS,EDIT_RIGHTS,CREATE_RIGHTS,DELETE_RIGHTS,REVOKE_RIGHTS,HISTORY_RIGHTS,APPROVAL_RIGHTS}; 48 49 public static final String ENDENTITYPROFILEBASE = "/endentityprofilesrules"; 51 public static final String ENDENTITYPROFILEPREFIX = "/endentityprofilesrules/"; 52 53 54 public static final String CABASE = "/ca"; 56 public static final String CAPREFIX = "/ca/"; 57 58 public static final String ROLE_PUBLICWEBUSER = "/public_web_user"; 59 public static final String ROLE_ADMINISTRATOR = "/administrator"; 60 public static final String ROLE_SUPERADMINISTRATOR = "/super_administrator"; 61 62 63 public static final String REGULAR_CAFUNCTIONALTY = "/ca_functionality"; 64 public static final String REGULAR_CABASICFUNCTIONS = "/ca_functionality/basic_functions"; 65 public static final String REGULAR_ACTIVATECA = "/ca_functionality/basic_functions/activate_ca"; 66 public static final String REGULAR_VIEWCERTIFICATE = "/ca_functionality/view_certificate"; 67 public static final String REGULAR_APPROVECAACTION = "/ca_functionality/approve_caaction"; 68 public static final String REGULAR_CREATECRL = "/ca_functionality/create_crl"; 69 public static final String REGULAR_EDITCERTIFICATEPROFILES = "/ca_functionality/edit_certificate_profiles"; 70 public static final String REGULAR_CREATECERTIFICATE = "/ca_functionality/create_certificate"; 71 public static final String REGULAR_STORECERTIFICATE = "/ca_functionality/store_certificate"; 72 public static final String REGULAR_RAFUNCTIONALITY = "/ra_functionality"; 73 public static final String REGULAR_EDITENDENTITYPROFILES = "/ra_functionality/edit_end_entity_profiles"; 74 public static final String REGULAR_EDITUSERDATASOURCES = "/ra_functionality/edit_user_data_sources"; 75 public static final String REGULAR_VIEWENDENTITY = "/ra_functionality/view_end_entity"; 76 public static final String REGULAR_CREATEENDENTITY = "/ra_functionality/create_end_entity"; 77 public static final String REGULAR_EDITENDENTITY = "/ra_functionality/edit_end_entity"; 78 public static final String REGULAR_DELETEENDENTITY = "/ra_functionality/delete_end_entity"; 79 public static final String REGULAR_REVOKEENDENTITY = "/ra_functionality/revoke_end_entity"; 80 public static final String REGULAR_VIEWENDENTITYHISTORY = "/ra_functionality/view_end_entity_history"; 81 public static final String REGULAR_APPROVEENDENTITY = "/ra_functionality/approve_end_entity"; 82 public static final String REGULAR_LOGFUNCTIONALITY = "/log_functionality"; 83 public static final String REGULAR_VIEWLOG = "/log_functionality/view_log"; 84 public static final String REGULAR_LOGCONFIGURATION = "/log_functionality/edit_log_configuration"; 85 public static final String REGULAR_SYSTEMFUNCTIONALITY = "/system_functionality"; 86 public static final String REGULAR_EDITADMINISTRATORPRIVILEDGES = "/system_functionality/edit_administrator_privileges"; 87 public static final String REGULAR_EDITSYSTEMCONFIGURATION = "/system_functionality/edit_systemconfiguration"; 88 89 public static final String REGULAR_VIEWHARDTOKENS = "/ra_functionality" + HARDTOKEN_RIGHTS; 90 public static final String REGULAR_KEYRECOVERY = "/ra_functionality" + KEYRECOVERY_RIGHTS; 91 92 public static final String HARDTOKEN_HARDTOKENFUNCTIONALITY = "/hardtoken_functionality"; 93 public static final String HARDTOKEN_EDITHARDTOKENISSUERS = "/hardtoken_functionality/edit_hardtoken_issuers"; 94 public static final String HARDTOKEN_EDITHARDTOKENPROFILES = "/hardtoken_functionality/edit_hardtoken_profiles"; 95 public static final String HARDTOKEN_ISSUEHARDTOKENS = "/hardtoken_functionality/issue_hardtokens"; 96 public static final String HARDTOKEN_ISSUEHARDTOKENADMINISTRATORS = "/hardtoken_functionality/issue_hardtoken_administrators"; 97 98 private final String [] STANDARDREGULARACCESSRULES = {REGULAR_CAFUNCTIONALTY, 100 REGULAR_CABASICFUNCTIONS, 101 REGULAR_ACTIVATECA, 102 REGULAR_VIEWCERTIFICATE, 103 REGULAR_CREATECRL, 104 REGULAR_EDITCERTIFICATEPROFILES, 105 REGULAR_CREATECERTIFICATE, 106 REGULAR_STORECERTIFICATE, 107 REGULAR_APPROVECAACTION, 108 REGULAR_RAFUNCTIONALITY, 109 REGULAR_EDITENDENTITYPROFILES, 110 REGULAR_EDITUSERDATASOURCES, 111 REGULAR_VIEWENDENTITY, 112 REGULAR_CREATEENDENTITY, 113 REGULAR_EDITENDENTITY, 114 REGULAR_DELETEENDENTITY, 115 REGULAR_REVOKEENDENTITY, 116 REGULAR_VIEWENDENTITYHISTORY, 117 REGULAR_APPROVEENDENTITY, 118 REGULAR_LOGFUNCTIONALITY, 119 REGULAR_VIEWLOG, 120 REGULAR_LOGCONFIGURATION, 121 REGULAR_SYSTEMFUNCTIONALITY, 122 REGULAR_EDITADMINISTRATORPRIVILEDGES, 123 REGULAR_EDITSYSTEMCONFIGURATION}; 124 125 public static final String [] ROLEACCESSRULES = { ROLE_PUBLICWEBUSER, 127 ROLE_ADMINISTRATOR, 128 ROLE_SUPERADMINISTRATOR}; 129 130 131 132 133 public static final String [] VIEWLOGACCESSRULES = { "/log_functionality/view_log/ca_entries", 134 "/log_functionality/view_log/ra_entries", 135 "/log_functionality/view_log/log_entries", 136 "/log_functionality/view_log/publicweb_entries", 137 "/log_functionality/view_log/adminweb_entries", 138 "/log_functionality/view_log/hardtoken_entries", 139 "/log_functionality/view_log/keyrecovery_entries", 140 "/log_functionality/view_log/authorization_entries", 141 "/log_functionality/view_log/approval_entries", 142 "/log_functionality/view_log/services_entries", 143 }; 144 145 public static final String [] HARDTOKENACCESSRULES = 147 {HARDTOKEN_HARDTOKENFUNCTIONALITY, 148 HARDTOKEN_EDITHARDTOKENISSUERS, 149 HARDTOKEN_EDITHARDTOKENPROFILES, 150 HARDTOKEN_ISSUEHARDTOKENS, 151 HARDTOKEN_ISSUEHARDTOKENADMINISTRATORS}; 152 153 154 155 156 157 public AvailableAccessRules(Admin admin, Authorizer authorizer, IRaAdminSessionLocal raadminsession, String [] customaccessrules) { 158 this.raadminsession = raadminsession; 160 this.authorizer = authorizer; 161 162 GlobalConfiguration globalconfiguration = raadminsession.loadGlobalConfiguration(admin); 164 enableendentityprofilelimitations = globalconfiguration.getEnableEndEntityProfileLimitations(); 165 usehardtokenissuing = globalconfiguration.getIssueHardwareTokens(); 166 usekeyrecovery = globalconfiguration.getEnableKeyRecovery(); 167 168 try{ 170 issuperadministrator = authorizer.isAuthorizedNoLog(admin, "/super_administrator"); 171 }catch(AuthorizationDeniedException e){ 172 issuperadministrator=false; 173 } 174 175 authorizedcaids = new HashSet (); 177 authorizedcaids.addAll(authorizer.getAuthorizedCAIds(admin)); 178 179 this.customaccessrules= customaccessrules; 180 } 181 182 184 public Collection getAvailableAccessRules(Admin admin){ 185 ArrayList accessrules = new ArrayList (); 186 187 188 insertAvailableRoleAccessRules(accessrules); 189 190 insertAvailableRegularAccessRules(admin, accessrules); 191 192 if(enableendentityprofilelimitations) 193 insertAvailableEndEntityProfileAccessRules(admin, accessrules); 194 195 insertAvailableCAAccessRules(accessrules); 196 197 insertCustomAccessRules(admin, accessrules); 198 199 200 return accessrules; 201 } 202 203 207 private void insertAvailableRoleAccessRules(ArrayList accessrules){ 208 209 accessrules.add(ROLEACCESSRULES[0]); 210 accessrules.add(ROLEACCESSRULES[1]); 211 212 if(issuperadministrator) 213 accessrules.add(ROLEACCESSRULES[2]); 214 215 } 216 217 220 221 private void insertAvailableRegularAccessRules(Admin admin, ArrayList accessrules) { 222 223 for(int i=0; i < STANDARDREGULARACCESSRULES.length; i++){ 225 addAuthorizedAccessRule(admin, STANDARDREGULARACCESSRULES[i], accessrules); 226 } 227 for(int i=0; i < VIEWLOGACCESSRULES.length; i++){ 228 addAuthorizedAccessRule(admin, VIEWLOGACCESSRULES[i], accessrules); 229 } 230 231 232 if(usehardtokenissuing){ 233 for(int i=0; i < HARDTOKENACCESSRULES.length;i++){ 234 accessrules.add(HARDTOKENACCESSRULES[i]); 235 } 236 addAuthorizedAccessRule(admin, REGULAR_VIEWHARDTOKENS, accessrules); 237 } 238 239 if(usekeyrecovery) 240 addAuthorizedAccessRule(admin, REGULAR_KEYRECOVERY, accessrules); 241 242 } 243 244 245 248 private void insertAvailableEndEntityProfileAccessRules(Admin admin, ArrayList accessrules){ 249 250 try{ 252 authorizer.isAuthorizedNoLog(admin, ENDENTITYPROFILEBASE); 253 accessrules.add(ENDENTITYPROFILEBASE); 254 }catch(AuthorizationDeniedException e){ 255 if(issuperadministrator) 257 accessrules.add(ENDENTITYPROFILEBASE); 258 } 259 260 261 Iterator iter = raadminsession.getAuthorizedEndEntityProfileIds(admin).iterator(); 263 while(iter.hasNext()){ 264 265 int profileid = ((Integer ) iter.next()).intValue(); 266 267 if(profileid != SecConst.EMPTY_ENDENTITYPROFILE){ 269 try{ 271 authorizer.isAuthorizedNoLog(admin, ENDENTITYPROFILEPREFIX + profileid); 272 addEndEntityProfile( profileid, accessrules); 273 }catch(AuthorizationDeniedException e){} 274 } 275 276 } 277 } 278 279 282 private void addEndEntityProfile(int profileid, ArrayList accessrules){ 283 accessrules.add(ENDENTITYPROFILEPREFIX + profileid); 284 for(int j=0;j < ENDENTITYPROFILE_ENDINGS.length; j++){ 285 accessrules.add(ENDENTITYPROFILEPREFIX + profileid +ENDENTITYPROFILE_ENDINGS[j]); 286 } 287 if(usehardtokenissuing) 288 accessrules.add(ENDENTITYPROFILEPREFIX + profileid + HARDTOKEN_RIGHTS); 289 if(usekeyrecovery) 290 accessrules.add(ENDENTITYPROFILEPREFIX + profileid + KEYRECOVERY_RIGHTS); 291 } 292 293 296 private void insertAvailableCAAccessRules(ArrayList accessrules){ 297 if(issuperadministrator) 299 accessrules.add(CABASE); 300 Iterator iter = authorizedcaids.iterator(); 301 while(iter.hasNext()){ 302 accessrules.add(CAPREFIX + ((Integer ) iter.next()).intValue()); 303 } 304 } 305 306 309 private void insertCustomAccessRules(Admin admin, ArrayList accessrules){ 310 for(int i=0; i < customaccessrules.length; i++){ 311 if(!customaccessrules[i].trim().equals("")) 312 addAuthorizedAccessRule(admin, customaccessrules[i].trim(), accessrules); 313 } 314 } 315 316 319 private void addAuthorizedAccessRule(Admin admin, String accessrule, ArrayList accessrules){ 320 try{ 321 authorizer.isAuthorizedNoLog(admin, accessrule); 322 accessrules.add(accessrule); 323 }catch(AuthorizationDeniedException e){ 324 } 325 } 326 327 328 private Authorizer authorizer; 330 private IRaAdminSessionLocal raadminsession; 331 private boolean issuperadministrator; 332 private boolean enableendentityprofilelimitations; 333 private boolean usehardtokenissuing; 334 private boolean usekeyrecovery; 335 private HashSet authorizedcaids; 336 private String [] customaccessrules; 337 338 339 } 340 | Popular Tags |