1 13 14 package org.ejbca.ui.web.admin.configuration; 15 16 import java.security.cert.X509Certificate ; 17 import java.util.Collection ; 18 import java.util.Iterator ; 19 20 import org.ejbca.core.ejb.authorization.IAuthorizationSessionLocal; 21 import org.ejbca.core.model.authorization.AccessRule; 22 import org.ejbca.core.model.authorization.AdminGroup; 23 import org.ejbca.core.model.authorization.AdminGroupExistsException; 24 import org.ejbca.core.model.authorization.AuthenticationFailedException; 25 import org.ejbca.core.model.authorization.AuthorizationDeniedException; 26 import org.ejbca.core.model.authorization.AvailableAccessRules; 27 import org.ejbca.core.model.log.Admin; 28 29 30 36 public class AuthorizationDataHandler implements java.io.Serializable { 37 38 39 public AuthorizationDataHandler(Admin administrator, InformationMemory informationmemory, IAuthorizationSessionLocal authorizationsession){ 40 this.authorizationsession = authorizationsession; 41 42 this.administrator = administrator; 43 this.informationmemory = informationmemory; 44 } 45 54 public boolean isAuthorized(Admin admin, String resource) throws AuthorizationDeniedException{ 55 return authorizationsession.isAuthorized(admin, resource); 56 } 57 58 66 public boolean isAuthorizedNoLog(Admin admin, String resource) throws AuthorizationDeniedException{ 67 return authorizationsession.isAuthorizedNoLog(admin, resource); 68 } 69 70 77 public void authenticate(X509Certificate certificate) throws AuthenticationFailedException { 78 authorizationsession.authenticate(certificate); 79 } 80 81 83 public void addAdminGroup(String name, int caid) throws AdminGroupExistsException, AuthorizationDeniedException{ 84 authorizationsession.isAuthorized(administrator, "/system_functionality/edit_administrator_privileges"); 86 authorizationsession.isAuthorized(administrator, AvailableAccessRules.CAPREFIX + caid); 88 authorizationsession.addAdminGroup(administrator, name,caid); 89 informationmemory.administrativePriviledgesEdited(); 90 this.authorizedadmingroups = null; 91 } 92 93 94 public void removeAdminGroup(String name, int caid) throws AuthorizationDeniedException{ 95 authorizedToEditAdministratorPrivileges(name, caid); 96 authorizationsession.removeAdminGroup(administrator, name,caid); 97 informationmemory.administrativePriviledgesEdited(); 98 this.authorizedadmingroups = null; 99 } 100 101 102 public void renameAdminGroup(String oldname, String newname, int caid) throws AdminGroupExistsException, AuthorizationDeniedException{ 103 authorizedToEditAdministratorPrivileges(oldname, caid); 104 authorizationsession.renameAdminGroup(administrator, oldname, caid, newname); 105 informationmemory.administrativePriviledgesEdited(); 106 this.authorizedadmingroups = null; 107 } 108 109 113 114 public Collection getAdminGroupNames(){ 115 if(this.authorizedadmingroups==null) 116 this.authorizedadmingroups= authorizationsession.getAuthorizedAdminGroupNames(administrator); 117 118 return this.authorizedadmingroups; 119 } 120 121 127 public AdminGroup getAdminGroup(String admingroupname, int caid) throws AuthorizationDeniedException { 128 authorizedToEditAdministratorPrivileges(admingroupname, caid); 129 130 return authorizationsession.getAdminGroup(administrator, admingroupname, caid); 131 } 132 133 138 public void addAccessRules(String admingroupname, int caid, Collection accessrules) throws AuthorizationDeniedException{ 139 authorizedToEditAdministratorPrivileges(admingroupname, caid); 140 authorizedToAddAccessRules(accessrules); 141 authorizationsession.addAccessRules(administrator, admingroupname, caid, accessrules); 142 informationmemory.administrativePriviledgesEdited(); 143 } 144 145 151 public void removeAccessRules(String admingroupname,int caid, Collection accessrules) throws AuthorizationDeniedException { 152 authorizedToEditAdministratorPrivileges(admingroupname, caid); 153 authorizationsession.removeAccessRules(administrator, admingroupname, caid, accessrules); 154 informationmemory.administrativePriviledgesEdited(); 155 } 156 157 163 public void replaceAccessRules(String admingroupname,int caid, Collection accessrules) throws AuthorizationDeniedException { 164 authorizedToEditAdministratorPrivileges(admingroupname, caid); 165 authorizationsession.replaceAccessRules(administrator, admingroupname, caid, accessrules); 166 informationmemory.administrativePriviledgesEdited(); 167 } 168 169 170 175 public Collection getAvailableAccessRules(){ 176 return this.informationmemory.getAuthorizedAccessRules(); 177 } 178 179 185 public void addAdminEntities(String admingroupname, int caid, Collection adminentities) throws AuthorizationDeniedException{ 186 authorizedToEditAdministratorPrivileges(admingroupname, caid); 187 188 authorizationsession.addAdminEntities(administrator, admingroupname, caid, adminentities); 189 informationmemory.administrativePriviledgesEdited(); 190 } 191 192 193 199 public void removeAdminEntities(String admingroupname, int caid, Collection adminentities) throws AuthorizationDeniedException{ 200 authorizedToEditAdministratorPrivileges(admingroupname, caid); 201 authorizationsession.removeAdminEntities(administrator, admingroupname, caid, adminentities); 202 informationmemory.administrativePriviledgesEdited(); 203 } 204 205 206 private void authorizedToEditAdministratorPrivileges(String admingroup, int caid) throws AuthorizationDeniedException{ 207 authorizationsession.isAuthorizedNoLog(administrator, "/system_functionality/edit_administrator_privileges"); 209 authorizationsession.isAuthorizedNoLog(administrator, AvailableAccessRules.CAPREFIX + caid); 211 Iterator iter = getAdminGroupNames().iterator(); 213 boolean exists = false; 214 while(iter.hasNext()){ 215 AdminGroup next = (AdminGroup) iter.next(); 216 if(next.getAdminGroupName().equals(admingroup) && next.getCAId() == caid) 217 exists = true; 218 } 219 220 if(!exists) 221 throw new AuthorizationDeniedException("Admingroup not among authorized admingroups."); 222 } 223 224 private void authorizedToAddAccessRules(Collection accessrules) throws AuthorizationDeniedException{ 225 Iterator iter = accessrules.iterator(); 226 while(iter.hasNext()) 227 if(!this.informationmemory.getAuthorizedAccessRules().contains(((AccessRule) iter.next()).getAccessRule())) 228 throw new AuthorizationDeniedException("Accessruleset contained non authorized access rules"); 229 } 230 231 232 233 234 private IAuthorizationSessionLocal authorizationsession; 236 private Admin administrator; 237 private Collection authorizedadmingroups; 238 private InformationMemory informationmemory; 239 } 240 | Popular Tags |