001: /*************************************************************************
002: * *
003: * EJBCA: The OpenSource Certificate Authority *
004: * *
005: * This software is free software; you can redistribute it and/or *
006: * modify it under the terms of the GNU Lesser General Public *
007: * License as published by the Free Software Foundation; either *
008: * version 2.1 of the License, or any later version. *
009: * *
010: * See terms of license at gnu.org. *
011: * *
012: *************************************************************************/package org.ejbca.core.model.authorization;
013:
014: import java.util.ArrayList;
015: import java.util.Collection;
016: import java.util.HashSet;
017: import java.util.Iterator;
018:
019: import org.ejbca.core.ejb.ra.raadmin.IRaAdminSessionLocal;
020: import org.ejbca.core.ejb.ra.userdatasource.IUserDataSourceSessionLocal;
021: import org.ejbca.core.model.SecConst;
022: import org.ejbca.core.model.log.Admin;
023: import org.ejbca.core.model.ra.raadmin.GlobalConfiguration;
024:
025: /**
026: *
027: *
028: * @version $Id: AvailableAccessRules.java,v 1.7 2007/04/13 06:06:27 herrvendil Exp $
029: */
030: public class AvailableAccessRules {
031:
032: // Available end entity profile authorization rules.
033: public static final String VIEW_RIGHTS = "/view_end_entity";
034: public static final String EDIT_RIGHTS = "/edit_end_entity";
035: public static final String CREATE_RIGHTS = "/create_end_entity";
036: public static final String DELETE_RIGHTS = "/delete_end_entity";
037: public static final String REVOKE_RIGHTS = "/revoke_end_entity";
038: public static final String HISTORY_RIGHTS = "/view_end_entity_history";
039: public static final String APPROVAL_RIGHTS = "/approve_end_entity";
040:
041: public static final String HARDTOKEN_RIGHTS = "/view_hardtoken";
042: public static final String HARDTOKEN_PUKDATA_RIGHTS = "/view_hardtoken/puk_data";
043:
044: public static final String KEYRECOVERY_RIGHTS = "/keyrecovery";
045:
046: // Endings used in profile authorization.
047: public static final String[] ENDENTITYPROFILE_ENDINGS = {
048: VIEW_RIGHTS, EDIT_RIGHTS, CREATE_RIGHTS, DELETE_RIGHTS,
049: REVOKE_RIGHTS, HISTORY_RIGHTS, APPROVAL_RIGHTS };
050:
051: // Name of end entity profile prefix directory in authorization module.
052: public static final String ENDENTITYPROFILEBASE = "/endentityprofilesrules";
053: public static final String ENDENTITYPROFILEPREFIX = "/endentityprofilesrules/";
054:
055: // Name of end entity profile prefix directory in authorization module.
056: public static final String USERDATASOURCEBASE = "/userdatasourcesrules";
057: public static final String USERDATASOURCEPREFIX = "/userdatasourcesrules/";
058:
059: public static final String UDS_FETCH_RIGHTS = "/fetch_userdata";
060: public static final String UDS_REMOVE_RIGHTS = "/remove_userdata";
061:
062: // Endings used in profile authorization.
063: public static final String[] USERDATASOURCE_ENDINGS = {
064: UDS_FETCH_RIGHTS, UDS_REMOVE_RIGHTS };
065:
066: // Name of ca prefix directory in access rules.
067: public static final String CABASE = "/ca";
068: public static final String CAPREFIX = "/ca/";
069:
070: public static final String ROLE_PUBLICWEBUSER = "/public_web_user";
071: public static final String ROLE_ADMINISTRATOR = "/administrator";
072: public static final String ROLE_SUPERADMINISTRATOR = "/super_administrator";
073:
074: public static final String REGULAR_CAFUNCTIONALTY = "/ca_functionality";
075: public static final String REGULAR_CABASICFUNCTIONS = "/ca_functionality/basic_functions";
076: public static final String REGULAR_ACTIVATECA = "/ca_functionality/basic_functions/activate_ca";
077: public static final String REGULAR_VIEWCERTIFICATE = "/ca_functionality/view_certificate";
078: public static final String REGULAR_APPROVECAACTION = "/ca_functionality/approve_caaction";
079: public static final String REGULAR_CREATECRL = "/ca_functionality/create_crl";
080: public static final String REGULAR_EDITCERTIFICATEPROFILES = "/ca_functionality/edit_certificate_profiles";
081: public static final String REGULAR_CREATECERTIFICATE = "/ca_functionality/create_certificate";
082: public static final String REGULAR_STORECERTIFICATE = "/ca_functionality/store_certificate";
083: public static final String REGULAR_RAFUNCTIONALITY = "/ra_functionality";
084: public static final String REGULAR_EDITENDENTITYPROFILES = "/ra_functionality/edit_end_entity_profiles";
085: public static final String REGULAR_EDITUSERDATASOURCES = "/ra_functionality/edit_user_data_sources";
086: public static final String REGULAR_VIEWENDENTITY = "/ra_functionality/view_end_entity";
087: public static final String REGULAR_CREATEENDENTITY = "/ra_functionality/create_end_entity";
088: public static final String REGULAR_EDITENDENTITY = "/ra_functionality/edit_end_entity";
089: public static final String REGULAR_DELETEENDENTITY = "/ra_functionality/delete_end_entity";
090: public static final String REGULAR_REVOKEENDENTITY = "/ra_functionality/revoke_end_entity";
091: public static final String REGULAR_VIEWENDENTITYHISTORY = "/ra_functionality/view_end_entity_history";
092: public static final String REGULAR_APPROVEENDENTITY = "/ra_functionality/approve_end_entity";
093: public static final String REGULAR_LOGFUNCTIONALITY = "/log_functionality";
094: public static final String REGULAR_VIEWLOG = "/log_functionality/view_log";
095: public static final String REGULAR_LOGCONFIGURATION = "/log_functionality/edit_log_configuration";
096: public static final String REGULAR_LOG_CUSTOM_EVENTS = "/log_functionality/log_custom_events";
097: public static final String REGULAR_SYSTEMFUNCTIONALITY = "/system_functionality";
098: public static final String REGULAR_EDITADMINISTRATORPRIVILEDGES = "/system_functionality/edit_administrator_privileges";
099: public static final String REGULAR_EDITSYSTEMCONFIGURATION = "/system_functionality/edit_systemconfiguration";
100:
101: public static final String REGULAR_VIEWHARDTOKENS = "/ra_functionality"
102: + HARDTOKEN_RIGHTS;
103: public static final String REGULAR_VIEWPUKS = "/ra_functionality"
104: + HARDTOKEN_PUKDATA_RIGHTS;
105: public static final String REGULAR_KEYRECOVERY = "/ra_functionality"
106: + KEYRECOVERY_RIGHTS;
107:
108: public static final String HARDTOKEN_HARDTOKENFUNCTIONALITY = "/hardtoken_functionality";
109: public static final String HARDTOKEN_EDITHARDTOKENISSUERS = "/hardtoken_functionality/edit_hardtoken_issuers";
110: public static final String HARDTOKEN_EDITHARDTOKENPROFILES = "/hardtoken_functionality/edit_hardtoken_profiles";
111: public static final String HARDTOKEN_ISSUEHARDTOKENS = "/hardtoken_functionality/issue_hardtokens";
112: public static final String HARDTOKEN_ISSUEHARDTOKENADMINISTRATORS = "/hardtoken_functionality/issue_hardtoken_administrators";
113:
114: // Standard Regular Access Rules
115: private final String[] STANDARDREGULARACCESSRULES = {
116: REGULAR_CAFUNCTIONALTY, REGULAR_CABASICFUNCTIONS,
117: REGULAR_ACTIVATECA, REGULAR_VIEWCERTIFICATE,
118: REGULAR_CREATECRL, REGULAR_EDITCERTIFICATEPROFILES,
119: REGULAR_CREATECERTIFICATE, REGULAR_STORECERTIFICATE,
120: REGULAR_APPROVECAACTION, REGULAR_RAFUNCTIONALITY,
121: REGULAR_EDITENDENTITYPROFILES, REGULAR_EDITUSERDATASOURCES,
122: REGULAR_VIEWENDENTITY, REGULAR_CREATEENDENTITY,
123: REGULAR_EDITENDENTITY, REGULAR_DELETEENDENTITY,
124: REGULAR_REVOKEENDENTITY, REGULAR_VIEWENDENTITYHISTORY,
125: REGULAR_APPROVEENDENTITY, REGULAR_LOGFUNCTIONALITY,
126: REGULAR_LOG_CUSTOM_EVENTS, REGULAR_VIEWLOG,
127: REGULAR_LOGCONFIGURATION, REGULAR_SYSTEMFUNCTIONALITY,
128: REGULAR_EDITADMINISTRATORPRIVILEDGES,
129: REGULAR_EDITSYSTEMCONFIGURATION };
130:
131: // Role Access Rules
132: public static final String[] ROLEACCESSRULES = {
133: ROLE_PUBLICWEBUSER, ROLE_ADMINISTRATOR,
134: ROLE_SUPERADMINISTRATOR };
135:
136: public static final String[] VIEWLOGACCESSRULES = {
137: "/log_functionality/view_log/ca_entries",
138: "/log_functionality/view_log/ra_entries",
139: "/log_functionality/view_log/log_entries",
140: "/log_functionality/view_log/publicweb_entries",
141: "/log_functionality/view_log/adminweb_entries",
142: "/log_functionality/view_log/hardtoken_entries",
143: "/log_functionality/view_log/keyrecovery_entries",
144: "/log_functionality/view_log/authorization_entries",
145: "/log_functionality/view_log/approval_entries",
146: "/log_functionality/view_log/services_entries",
147: "/log_functionality/view_log/custom_entries", };
148:
149: // Hard Token specific accessrules used in authorization module.
150: public static final String[] HARDTOKENACCESSRULES = {
151: HARDTOKEN_HARDTOKENFUNCTIONALITY,
152: HARDTOKEN_EDITHARDTOKENISSUERS,
153: HARDTOKEN_EDITHARDTOKENPROFILES, HARDTOKEN_ISSUEHARDTOKENS,
154: HARDTOKEN_ISSUEHARDTOKENADMINISTRATORS };
155:
156: /** Creates a new instance of AvailableAccessRules */
157: public AvailableAccessRules(Admin admin, Authorizer authorizer,
158: IRaAdminSessionLocal raadminsession,
159: IUserDataSourceSessionLocal userDataSourceSession,
160: String[] customaccessrules) {
161: // Initialize
162: this .raadminsession = raadminsession;
163: this .authorizer = authorizer;
164: this .userDataSourceSession = userDataSourceSession;
165:
166: // Get Global Configuration
167: GlobalConfiguration globalconfiguration = raadminsession
168: .loadGlobalConfiguration(admin);
169: enableendentityprofilelimitations = globalconfiguration
170: .getEnableEndEntityProfileLimitations();
171: usehardtokenissuing = globalconfiguration
172: .getIssueHardwareTokens();
173: usekeyrecovery = globalconfiguration.getEnableKeyRecovery();
174:
175: // Is Admin SuperAdministrator.
176: try {
177: issuper administrator = authorizer.isAuthorizedNoLog(admin,
178: "/super_administrator");
179: } catch (AuthorizationDeniedException e) {
180: issuper administrator = false;
181: }
182:
183: // Get CA:s
184: authorizedcaids = new HashSet();
185: authorizedcaids.addAll(authorizer.getAuthorizedCAIds(admin));
186:
187: this .customaccessrules = customaccessrules;
188: }
189:
190: // Public methods
191: /** Returns all the accessrules and subaccessrules from the given subresource */
192: public Collection getAvailableAccessRules(Admin admin) {
193: ArrayList accessrules = new ArrayList();
194:
195: insertAvailableRoleAccessRules(accessrules);
196:
197: insertAvailableRegularAccessRules(admin, accessrules);
198:
199: if (enableendentityprofilelimitations)
200: insertAvailableEndEntityProfileAccessRules(admin,
201: accessrules);
202:
203: insertUserDataSourceAccessRules(admin, accessrules);
204:
205: insertAvailableCAAccessRules(accessrules);
206:
207: insertCustomAccessRules(admin, accessrules);
208:
209: return accessrules;
210: }
211:
212: // Private methods
213: /**
214: * Method that adds all authorized role based access rules.
215: */
216: private void insertAvailableRoleAccessRules(ArrayList accessrules) {
217:
218: accessrules.add(ROLEACCESSRULES[0]);
219: accessrules.add(ROLEACCESSRULES[1]);
220:
221: if (issuper administrator)
222: accessrules.add(ROLEACCESSRULES[2]);
223:
224: }
225:
226: /**
227: * Method that adds all regular access rules.
228: */
229:
230: private void insertAvailableRegularAccessRules(Admin admin,
231: ArrayList accessrules) {
232:
233: // Insert Standard Access Rules.
234: for (int i = 0; i < STANDARDREGULARACCESSRULES.length; i++) {
235: addAuthorizedAccessRule(admin,
236: STANDARDREGULARACCESSRULES[i], accessrules);
237: }
238: for (int i = 0; i < VIEWLOGACCESSRULES.length; i++) {
239: addAuthorizedAccessRule(admin, VIEWLOGACCESSRULES[i],
240: accessrules);
241: }
242:
243: if (usehardtokenissuing) {
244: for (int i = 0; i < HARDTOKENACCESSRULES.length; i++) {
245: accessrules.add(HARDTOKENACCESSRULES[i]);
246: }
247: addAuthorizedAccessRule(admin, REGULAR_VIEWHARDTOKENS,
248: accessrules);
249: addAuthorizedAccessRule(admin, REGULAR_VIEWPUKS,
250: accessrules);
251: }
252:
253: if (usekeyrecovery)
254: addAuthorizedAccessRule(admin, REGULAR_KEYRECOVERY,
255: accessrules);
256:
257: }
258:
259: /**
260: * Method that adds all authorized access rules conserning end entity profiles.
261: */
262: private void insertAvailableEndEntityProfileAccessRules(
263: Admin admin, ArrayList accessrules) {
264:
265: // Add most basic rule if authorized to it.
266: try {
267: authorizer.isAuthorizedNoLog(admin, ENDENTITYPROFILEBASE);
268: accessrules.add(ENDENTITYPROFILEBASE);
269: } catch (AuthorizationDeniedException e) {
270: // Add it to superadministrator anyway
271: if (issuper administrator)
272: accessrules.add(ENDENTITYPROFILEBASE);
273: }
274:
275: // Add all authorized End Entity Profiles
276: Iterator iter = raadminsession
277: .getAuthorizedEndEntityProfileIds(admin).iterator();
278: while (iter.hasNext()) {
279:
280: int profileid = ((Integer) iter.next()).intValue();
281:
282: // Do not add empty profile, since only superadministrator should have access to it.
283: if (profileid != SecConst.EMPTY_ENDENTITYPROFILE) {
284: // Administrator is authorized to this End Entity Profile, add it.
285: try {
286: authorizer.isAuthorizedNoLog(admin,
287: ENDENTITYPROFILEPREFIX + profileid);
288: addEndEntityProfile(profileid, accessrules);
289: } catch (AuthorizationDeniedException e) {
290: }
291: }
292:
293: }
294: }
295:
296: /**
297: * Help Method for insertAvailableEndEntityProfileAccessRules.
298: */
299: private void addEndEntityProfile(int profileid,
300: ArrayList accessrules) {
301: accessrules.add(ENDENTITYPROFILEPREFIX + profileid);
302: for (int j = 0; j < ENDENTITYPROFILE_ENDINGS.length; j++) {
303: accessrules.add(ENDENTITYPROFILEPREFIX + profileid
304: + ENDENTITYPROFILE_ENDINGS[j]);
305: }
306: if (usehardtokenissuing) {
307: accessrules.add(ENDENTITYPROFILEPREFIX + profileid
308: + HARDTOKEN_RIGHTS);
309: accessrules.add(ENDENTITYPROFILEPREFIX + profileid
310: + HARDTOKEN_PUKDATA_RIGHTS);
311: }
312: if (usekeyrecovery) {
313: accessrules.add(ENDENTITYPROFILEPREFIX + profileid
314: + KEYRECOVERY_RIGHTS);
315: }
316: }
317:
318: /**
319: * Method that adds all authorized CA access rules.
320: */
321: private void insertAvailableCAAccessRules(ArrayList accessrules) {
322: // Add All Authorized CAs
323: if (issuper administrator)
324: accessrules.add(CABASE);
325: Iterator iter = authorizedcaids.iterator();
326: while (iter.hasNext()) {
327: accessrules.add(CAPREFIX
328: + ((Integer) iter.next()).intValue());
329: }
330: }
331:
332: /**
333: * Method that adds the custom available access rules.
334: */
335: private void insertCustomAccessRules(Admin admin,
336: ArrayList accessrules) {
337: for (int i = 0; i < customaccessrules.length; i++) {
338: if (!customaccessrules[i].trim().equals(""))
339: addAuthorizedAccessRule(admin, customaccessrules[i]
340: .trim(), accessrules);
341: }
342: }
343:
344: /**
345: * Method that adds the user data source access rules
346: */
347: private void insertUserDataSourceAccessRules(Admin admin,
348: ArrayList accessrules) {
349: addAuthorizedAccessRule(admin, USERDATASOURCEBASE, accessrules);
350:
351: Iterator iter = userDataSourceSession
352: .getAuthorizedUserDataSourceIds(admin, true).iterator();
353: while (iter.hasNext()) {
354: int id = ((Integer) iter.next()).intValue();
355: addAuthorizedAccessRule(admin, USERDATASOURCEPREFIX + id
356: + UDS_FETCH_RIGHTS, accessrules);
357: addAuthorizedAccessRule(admin, USERDATASOURCEPREFIX + id
358: + UDS_REMOVE_RIGHTS, accessrules);
359: }
360: }
361:
362: /**
363: * Method that checks if administrator himself is authorized to access rule, and if so adds it to list.
364: */
365: private void addAuthorizedAccessRule(Admin admin,
366: String accessrule, ArrayList accessrules) {
367: try {
368: authorizer.isAuthorizedNoLog(admin, accessrule);
369: accessrules.add(accessrule);
370: } catch (AuthorizationDeniedException e) {
371: }
372: }
373:
374: // Private fields
375: private Authorizer authorizer;
376: private IRaAdminSessionLocal raadminsession;
377: private IUserDataSourceSessionLocal userDataSourceSession;
378: private boolean issuper administrator;
379: private boolean enableendentityprofilelimitations;
380: private boolean usehardtokenissuing;
381: private boolean usekeyrecovery;
382: private HashSet authorizedcaids;
383: private String[] customaccessrules;
384:
385: }
|