001: /*************************************************************************
002: * *
003: * EJBCA: The OpenSource Certificate Authority *
004: * *
005: * This software is free software; you can redistribute it and/or *
006: * modify it under the terms of the GNU Lesser General Public *
007: * License as published by the Free Software Foundation; either *
008: * version 2.1 of the License, or any later version. *
009: * *
010: * See terms of license at gnu.org. *
011: * *
012: *************************************************************************/package org.ejbca.core.model.authorization;
013:
014: import java.security.cert.X509Certificate;
015: import java.util.ArrayList;
016: import java.util.Collection;
017: import java.util.Iterator;
018:
019: import org.apache.log4j.Logger;
020: import org.ejbca.core.ejb.authorization.AdminGroupDataLocalHome;
021: import org.ejbca.core.ejb.ca.caadmin.ICAAdminSessionLocal;
022: import org.ejbca.core.ejb.ca.store.ICertificateStoreSessionLocal;
023: import org.ejbca.core.ejb.log.ILogSessionLocal;
024: import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocal;
025: import org.ejbca.core.model.ca.crl.RevokedCertInfo;
026: import org.ejbca.core.model.log.Admin;
027: import org.ejbca.core.model.log.LogConstants;
028: import org.ejbca.util.CertTools;
029:
030: /**
031: * A java bean handling the athorization to ejbca.
032: *
033: * The main metod are isAthorized and authenticate.
034: *
035: * @version $Id: Authorizer.java,v 1.4 2008/01/14 17:38:38 anatom Exp $
036: */
037: public class Authorizer extends Object implements java.io.Serializable {
038:
039: private static final Logger log = Logger
040: .getLogger(Authorizer.class);
041:
042: /** Creates new EjbcaAthorization */
043: public Authorizer(Collection admingroups,
044: AdminGroupDataLocalHome admingrouphome,
045: ILogSessionLocal logsession,
046: ICertificateStoreSessionLocal certificatestoresession,
047: IRaAdminSessionLocal raadminsession,
048: ICAAdminSessionLocal caadminsession, Admin admin, int module) {
049: accesstree = new AccessTree();
050: authorizationproxy = new AuthorizationProxy(admingrouphome,
051: accesstree);
052: buildAccessTree(admingroups);
053: this .logsession = logsession;
054: this .module = module;
055: this .certificatesession = certificatestoresession;
056: this .raadminsession = raadminsession;
057: this .caadminsession = caadminsession;
058: }
059:
060: // Public methods.
061:
062: /**
063: * Method to check if a user is authorized to a resource
064: *
065: * @param admininformation information about the user to be authorized.
066: * @param resource the resource to look up.
067: * @return true if authorizes
068: * @throws AuthorizationDeniedException when authorization is denied.
069: */
070: public boolean isAuthorized(Admin admin, String resource)
071: throws AuthorizationDeniedException {
072:
073: if (admin == null)
074: throw new AuthorizationDeniedException(
075: "Administrator not authorized to resource : "
076: + resource);
077:
078: AdminInformation admininformation = admin.getAdminInformation();
079:
080: if (!authorizationproxy
081: .isAuthorized(admininformation, resource)
082: && !authorizationproxy.isAuthorized(admininformation,
083: "/super_administrator")) {
084: try {
085: if (!admininformation.isSpecialUser()) {
086: logsession
087: .log(
088: admin,
089: admininformation
090: .getX509Certificate(),
091: module,
092: new java.util.Date(),
093: null,
094: null,
095: LogConstants.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,
096: "Resource : " + resource);
097: } else {
098: logsession
099: .log(
100: admin,
101: LogConstants.INTERNALCAID,
102: module,
103: new java.util.Date(),
104: null,
105: null,
106: LogConstants.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,
107: "Resource : " + resource);
108: }
109: } catch (Throwable e) {
110: log.info(
111: "Missed to log 'Admin not authorized to resource', admin="
112: + admin.toString() + ", resource="
113: + resource, e);
114: }
115: throw new AuthorizationDeniedException(
116: "Administrator not authorized to resource : "
117: + resource);
118: }
119: try {
120: if (!admininformation.isSpecialUser()) {
121: logsession.log(admin, admininformation
122: .getX509Certificate(), module,
123: new java.util.Date(), null, null,
124: LogConstants.EVENT_INFO_AUTHORIZEDTORESOURCE,
125: "Resource : " + resource);
126: } else {
127: logsession.log(admin, LogConstants.INTERNALCAID,
128: module, new java.util.Date(), null, null,
129: LogConstants.EVENT_INFO_AUTHORIZEDTORESOURCE,
130: "Resource : " + resource);
131: }
132: } catch (Throwable e) {
133: log.info(
134: "Missed to log 'Admin authorized to resource', admin="
135: + admin.toString() + ", resource="
136: + resource, e);
137: }
138:
139: return true;
140: }
141:
142: /**
143: * Method to check if a user is authorized to a resource without performing any logging
144: *
145: * @param AdminInformation information about the user to be authorized.
146: * @param resource the resource to look up.
147: * @return true if authorizes
148: * @throws AuthorizationDeniedException when authorization is denied.
149: */
150: public boolean isAuthorizedNoLog(Admin admin, String resource)
151: throws AuthorizationDeniedException {
152: if (admin == null)
153: throw new AuthorizationDeniedException(
154: "Administrator not authorized to resource : "
155: + resource);
156:
157: // Check in accesstree.
158: if (!authorizationproxy.isAuthorized(admin
159: .getAdminInformation(), resource)
160: && !authorizationproxy.isAuthorized(admin
161: .getAdminInformation(), "/super_administrator")) {
162: throw new AuthorizationDeniedException(
163: "Administrator not authorized to resource : "
164: + resource);
165: }
166: return true;
167: }
168:
169: /**
170: * Method to check if a group is authorized to a resource
171: *
172: * @param admininformation information about the user to be authorized.
173: * @param resource the resource to look up.
174: * @return true if authorizes
175: * @throws AuthorizationDeniedException when authorization is denied.
176: */
177: public boolean isGroupAuthorized(Admin admin, int pk,
178: String resource) throws AuthorizationDeniedException {
179: if (admin == null)
180: throw new AuthorizationDeniedException(
181: "Administrator group not authorized to resource : "
182: + resource);
183:
184: AdminInformation admininformation = admin.getAdminInformation();
185:
186: if (!authorizationproxy.isGroupAuthorized(admininformation, pk,
187: resource)) {
188: try {
189: if (!admininformation.isSpecialUser()) {
190: logsession
191: .log(
192: admin,
193: admininformation
194: .getX509Certificate(),
195: module,
196: new java.util.Date(),
197: null,
198: null,
199: LogConstants.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,
200: "Adminstrator group not authorized to resource : "
201: + resource);
202: } else {
203: logsession
204: .log(
205: admin,
206: LogConstants.INTERNALCAID,
207: module,
208: new java.util.Date(),
209: null,
210: null,
211: LogConstants.EVENT_ERROR_NOTAUTHORIZEDTORESOURCE,
212: "Adminstrator group not authorized to resource : "
213: + resource);
214: }
215: } catch (Throwable e) {
216: log.info(
217: "Missed to log 'Admin group not authorized to resource', admin="
218: + admin.toString() + ", resource="
219: + resource, e);
220: }
221: throw new AuthorizationDeniedException(
222: "Administrator group not authorized to resource : "
223: + resource);
224: }
225: try {
226: if (!admininformation.isSpecialUser()) {
227: logsession.log(admin, admininformation
228: .getX509Certificate(), module,
229: new java.util.Date(), null, null,
230: LogConstants.EVENT_INFO_AUTHORIZEDTORESOURCE,
231: "Adminstrator group not authorized to resource : "
232: + resource);
233: } else {
234: logsession.log(admin, LogConstants.INTERNALCAID,
235: module, new java.util.Date(), null, null,
236: LogConstants.EVENT_INFO_AUTHORIZEDTORESOURCE,
237: "Adminstrator group not authorized to resource : "
238: + resource);
239: }
240: } catch (Throwable e) {
241: log.info(
242: "Missed to log 'Admin group authorized to resource', admin="
243: + admin.toString() + ", resource="
244: + resource, e);
245: }
246: return true;
247: }
248:
249: /**
250: * Method to check if a group is authorized to a resource without performing any logging
251: *
252: * @param AdminInformation information about the user to be authorized.
253: * @param resource the resource to look up.
254: * @return true if authorizes
255: * @throws AuthorizationDeniedException when authorization is denied.
256: */
257: public boolean isGroupAuthorizedNoLog(Admin admin, int pk,
258: String resource) throws AuthorizationDeniedException {
259: if (admin == null)
260: throw new AuthorizationDeniedException(
261: "Administrator group not authorized to resource : "
262: + resource);
263:
264: // Check in accesstree.
265: if (!authorizationproxy.isGroupAuthorized(admin
266: .getAdminInformation(), pk, resource)) {
267: throw new AuthorizationDeniedException(
268: "Administrator group not authorized to resource : "
269: + resource);
270: }
271: return true;
272: }
273:
274: /**
275: * Method that authenticates a certificate by verifying signature, checking validity and lookup if certificate is revoked.
276: *
277: * @param certificate the certificate to be authenticated.
278: * @throws AuthenticationFailedException if authentication failed.
279: */
280: public void authenticate(X509Certificate certificate)
281: throws AuthenticationFailedException {
282:
283: // Check Validity
284: try {
285: certificate.checkValidity();
286: } catch (Exception e) {
287: throw new AuthenticationFailedException(
288: "Your certificates vality has expired.");
289: }
290:
291: // TODO
292: /* // Vertify Signature
293: boolean verified = false;
294: for(int i=0; i < this.cacertificatechain.length; i++){
295: try{
296: // log.debug("Authorizer: authenticate : Comparing : " + CertTools.getIssuerDN(certificate) + " With " + CertTools.getSubjectDN((X509Certificate) cacertificatechain[i]));
297: // if(LDAPDN.equals(CertTools.getIssuerDN(certificate), CertTools.getSubjectDN((X509Certificate) cacertificatechain[i]))){
298: certificate.verify(cacertificatechain[i].getPublicKey());
299: verified = true;
300: // }
301: }catch(Exception e){}
302: }
303: if(!verified)
304: throw new AuthenticationFailedException("Your certificate cannot be verified by CA certificate chain.");
305: */
306: // Check if certificate is revoked.
307: RevokedCertInfo revinfo = certificatesession.isRevoked(
308: new Admin(certificate), CertTools
309: .getIssuerDN(certificate), certificate
310: .getSerialNumber());
311: if (revinfo == null) {
312: // Certificate missing
313: throw new AuthenticationFailedException(
314: "Your certificate cannot be found in database.");
315: } else if (revinfo.getReason() != RevokedCertInfo.NOT_REVOKED) {
316: // Certificate revoked
317: throw new AuthenticationFailedException(
318: "Your certificate have been revoked.");
319: }
320: }
321:
322: /**
323: * Method used to return an ArrayList of Integers indicating which CAids a administrator
324: * is authorized to access.
325: */
326:
327: public Collection getAuthorizedCAIds(Admin admin) {
328: ArrayList returnval = new ArrayList();
329: Iterator iter = caadminsession.getAvailableCAs(admin)
330: .iterator();
331:
332: while (iter.hasNext()) {
333: Integer caid = (Integer) iter.next();
334: try {
335: isAuthorizedNoLog(admin, AvailableAccessRules.CAPREFIX
336: + caid.toString());
337: returnval.add(caid);
338: } catch (AuthorizationDeniedException e) {
339: }
340: }
341: return returnval;
342: }
343:
344: /**
345: * Method used to return an Collection of Integers indicating which end entity profiles
346: * the administrator is authorized to view.
347: *
348: * @param admin, the administrator
349: * @rapriviledge should be one of the end entity profile authorization constans defined in AvailableAccessRules.
350: */
351:
352: public Collection getAuthorizedEndEntityProfileIds(Admin admin,
353: String rapriviledge) {
354: ArrayList returnval = new ArrayList();
355: Iterator iter = raadminsession.getEndEntityProfileIdToNameMap(
356: admin).keySet().iterator();
357:
358: while (iter.hasNext()) {
359: Integer profileid = (Integer) iter.next();
360: try {
361: isAuthorizedNoLog(admin,
362: AvailableAccessRules.ENDENTITYPROFILEPREFIX
363: + profileid + rapriviledge);
364: returnval.add(profileid);
365: } catch (AuthorizationDeniedException e) {
366: }
367:
368: }
369:
370: return returnval;
371: }
372:
373: /** Metod to load the access data from database. */
374: public void buildAccessTree(Collection admingroups) {
375: accesstree.buildTree(admingroups);
376: authorizationproxy.clear();
377: }
378:
379: // Private metods
380:
381: // Private fields.
382: private AccessTree accesstree;
383: private int module;
384:
385: private ICertificateStoreSessionLocal certificatesession;
386: private ILogSessionLocal logsession;
387: private IRaAdminSessionLocal raadminsession;
388: private ICAAdminSessionLocal caadminsession;
389: private AuthorizationProxy authorizationproxy;
390: }
|