001: /*************************************************************************
002: * *
003: * EJBCA: The OpenSource Certificate Authority *
004: * *
005: * This software is free software; you can redistribute it and/or *
006: * modify it under the terms of the GNU Lesser General Public *
007: * License as published by the Free Software Foundation; either *
008: * version 2.1 of the License, or any later version. *
009: * *
010: * See terms of license at gnu.org. *
011: * *
012: *************************************************************************/package org.ejbca.core.model.authorization;
013:
014: import java.util.ArrayList;
015: import java.util.Collection;
016: import java.util.HashMap;
017: import java.util.HashSet;
018: import java.util.Iterator;
019:
020: /**
021: * A class used as a help class for displaying and configuring basic access rules
022: *
023: * @author herrvendil
024: * @version $Id: BasicAccessRuleSetEncoder.java,v 1.4 2007/04/13 06:06:49 herrvendil Exp $
025: */
026: public class BasicAccessRuleSetEncoder implements java.io.Serializable {
027:
028: private boolean forceadvanced = false;
029:
030: private int currentrole = BasicAccessRuleSet.ROLE_NONE;
031: private Collection availableroles = new ArrayList();
032: private HashSet currentcas = new HashSet();
033: private HashSet availablecas = new HashSet();
034: private HashSet currentendentityrules = new HashSet();
035: private ArrayList availableendentityrules = new ArrayList();
036: private HashSet currentendentityprofiles = new HashSet();
037: private HashSet availableendentityprofiles = new HashSet();
038: private HashSet currentotherrules = new HashSet();
039: private ArrayList availableotherrules = new ArrayList();
040:
041: /**
042: * Tries to encode a advanced ruleset into basic ones.
043: * Sets the forceadvanced flag if encoding isn't possible.
044: */
045: public BasicAccessRuleSetEncoder(Collection currentaccessrules,
046: Collection availableaccessrules, boolean usehardtokens,
047: boolean usekeyrecovery) {
048: HashSet aar = new HashSet();
049: aar.addAll(availableaccessrules);
050: Iterator iter = currentaccessrules.iterator();
051: while (iter.hasNext())
052: aar.add(((AccessRule) iter.next()).getAccessRule());
053: initAvailableRoles(aar);
054: initAvailableRules(usehardtokens, usekeyrecovery, aar);
055:
056: initCurrentRole(currentaccessrules);
057: initCurrentRules(currentaccessrules);
058:
059: }
060:
061: /**
062: * Returns true if basic configuration of access rules isn't possible.
063: */
064: public boolean getForceAdvanced() {
065: return forceadvanced;
066: }
067:
068: /**
069: * Returns the current role of the administrator group.
070: * One of the BasicRuleSet ROLE_constants
071: *
072: */
073:
074: public int getCurrentRole() {
075: return currentrole;
076: }
077:
078: /**
079: * Returns a Collection of basic roles the administrator is authorized to configure.
080: * @return a Collection of BasicRuleSet.ROLE_constants (Integer)
081: *
082: */
083: public Collection getAvailableRoles() {
084: return availableroles;
085: }
086:
087: /**
088: * @return a Collection of CAids the administratorgroup is authorized to or BasicAccessRuleSet.CA_ALL for all cas.
089: */
090: public HashSet getCurrentCAs() {
091: return currentcas;
092: }
093:
094: /**
095: * @return a Collection of available CAids or BasicAccessRuleSet.CA_ALL for all cas.
096: */
097: public Collection getAvailableCAs() {
098: return availablecas;
099: }
100:
101: /**
102: * @return a Collection of EndEntityRules the administratorgroup is authorized to, BasicAccessRuleSet.ENDENTITY_ constants (Integer).
103: */
104: public HashSet getCurrentEndEntityRules() {
105: return currentendentityrules;
106: }
107:
108: /**
109: * @return a Collection of available EndEntityRules, BasicAccessRuleSet.ENDENTITY_ constants (Integer)
110: */
111: public Collection getAvailableEndEntityRules() {
112: return availableendentityrules;
113: }
114:
115: /**
116: * @return a Collection of authorized EndEntityProfileIds or BasicAccessRuleSet.ENDENTITYPROFILE_ALL for all
117: */
118: public HashSet getCurrentEndEntityProfiles() {
119: return currentendentityprofiles;
120: }
121:
122: /**
123: * @return a Collection of av ailable EndEntityProfileIds or BasicAccessRuleSet.ENDENTITYPROFILE_ALL for all and entity profiles.
124: */
125: public Collection getAvailableEndEntityProfiles() {
126: return availableendentityprofiles;
127: }
128:
129: /**
130: * @return a Collection of auhtorized other rules. (Integer).
131: */
132: public HashSet getCurrentOtherRules() {
133: return currentotherrules;
134: }
135:
136: /**
137: * @return a Collection of available other rules (Integer).
138: */
139: public Collection getAvailableOtherRules() {
140: return availableotherrules;
141: }
142:
143: private void initAvailableRoles(HashSet availableruleset) {
144: availableroles.add(new Integer(BasicAccessRuleSet.ROLE_NONE));
145: availableroles.add(new Integer(
146: BasicAccessRuleSet.ROLE_CAADMINISTRATOR));
147:
148: availableroles.add(new Integer(
149: BasicAccessRuleSet.ROLE_RAADMINISTRATOR));
150: availableroles.add(new Integer(
151: BasicAccessRuleSet.ROLE_SUPERVISOR));
152: // Check if administrator can create superadministrators
153: if (availableruleset
154: .contains(AvailableAccessRules.ROLE_SUPERADMINISTRATOR)) {
155: availableroles.add(new Integer(
156: BasicAccessRuleSet.ROLE_SUPERADMINISTRATOR));
157: }
158:
159: }
160:
161: private void initCurrentRole(Collection currentaccessrules) {
162: // Check if administrator is superadministrator
163:
164: if (currentaccessrules.size() > 0) {
165: if (isSuperAdministrator(currentaccessrules)) {
166:
167: this .currentrole = BasicAccessRuleSet.ROLE_SUPERADMINISTRATOR;
168: } else
169: // Check if administrator is caadministrator
170: if (isCAAdministrator(currentaccessrules)) {
171: this .currentrole = BasicAccessRuleSet.ROLE_CAADMINISTRATOR;
172: } else
173: // Check if administrator is raadministrator
174: if (isRAAdministrator(currentaccessrules)) {
175: this .currentrole = BasicAccessRuleSet.ROLE_RAADMINISTRATOR;
176: } else
177: // Check if administrator is supervisor
178: if (isSupervisor(currentaccessrules)) {
179: this .currentrole = BasicAccessRuleSet.ROLE_SUPERVISOR;
180: } else
181: this .forceadvanced = true;
182: } else {
183: this .currentrole = BasicAccessRuleSet.ROLE_NONE;
184: }
185: }
186:
187: private boolean isSuperAdministrator(Collection currentaccessrules) {
188:
189: boolean returnval = false;
190: if (currentaccessrules.size() == 1) {
191: AccessRule ar = (AccessRule) currentaccessrules.iterator()
192: .next();
193: if (ar.getAccessRule().equals(
194: AvailableAccessRules.ROLE_SUPERADMINISTRATOR)
195: && ar.getRule() == AccessRule.RULE_ACCEPT
196: && !ar.isRecursive())
197: returnval = true;
198: }
199:
200: return returnval;
201: }
202:
203: private boolean isCAAdministrator(Collection currentaccessrules) {
204: boolean returnval = false;
205:
206: if (currentaccessrules.size() >= 7) {
207: HashSet requiredacceptrecrules = new HashSet();
208: requiredacceptrecrules
209: .add(AvailableAccessRules.REGULAR_CAFUNCTIONALTY);
210: requiredacceptrecrules
211: .add(AvailableAccessRules.REGULAR_LOGFUNCTIONALITY);
212: requiredacceptrecrules
213: .add(AvailableAccessRules.REGULAR_RAFUNCTIONALITY);
214: requiredacceptrecrules
215: .add(AvailableAccessRules.REGULAR_SYSTEMFUNCTIONALITY);
216: requiredacceptrecrules
217: .add(AvailableAccessRules.ENDENTITYPROFILEBASE);
218: HashSet requiredacceptnonrecrules = new HashSet();
219: requiredacceptnonrecrules
220: .add(AvailableAccessRules.ROLE_ADMINISTRATOR);
221: requiredacceptnonrecrules
222: .add(AvailableAccessRules.HARDTOKEN_EDITHARDTOKENISSUERS);
223: requiredacceptnonrecrules
224: .add(AvailableAccessRules.HARDTOKEN_EDITHARDTOKENPROFILES);
225:
226: Iterator iter = currentaccessrules.iterator();
227: boolean illegal = false;
228: while (iter.hasNext()) {
229: AccessRule ar = (AccessRule) iter.next();
230: if (!isAllowedCAAdministratorRule(ar))
231: if (ar.getRule() == AccessRule.RULE_ACCEPT
232: && ar.isRecursive()
233: && requiredacceptrecrules.contains(ar
234: .getAccessRule()))
235: requiredacceptrecrules.remove(ar
236: .getAccessRule());
237: else if (ar.getRule() == AccessRule.RULE_ACCEPT
238: && !ar.isRecursive()
239: && requiredacceptnonrecrules.contains(ar
240: .getAccessRule()))
241: requiredacceptnonrecrules.remove(ar
242: .getAccessRule());
243: else {
244: illegal = true;
245: break;
246: }
247: }
248: if (!illegal && requiredacceptrecrules.size() == 0
249: && requiredacceptnonrecrules.size() == 0)
250: returnval = true;
251:
252: }
253:
254: return returnval;
255: }
256:
257: private boolean isAllowedCAAdministratorRule(AccessRule ar) {
258: boolean returnval = false;
259:
260: if (ar.getAccessRule().equals(AvailableAccessRules.CABASE)
261: && ar.getRule() == AccessRule.RULE_ACCEPT
262: && ar.isRecursive())
263: returnval = true;
264:
265: if (ar.getAccessRule()
266: .startsWith(AvailableAccessRules.CAPREFIX)
267: && ar.getRule() == AccessRule.RULE_ACCEPT
268: && !ar.isRecursive())
269: returnval = true;
270:
271: if (ar.getAccessRule().startsWith(
272: AvailableAccessRules.HARDTOKEN_ISSUEHARDTOKENS)
273: && ar.getRule() == AccessRule.RULE_ACCEPT)
274: returnval = true;
275:
276: return returnval;
277: }
278:
279: private boolean isRAAdministrator(Collection currentaccessrules) {
280: boolean returnval = false;
281:
282: if (currentaccessrules.size() >= 4) {
283: HashSet requiredaccepnonrecrules = new HashSet();
284: requiredaccepnonrecrules
285: .add(AvailableAccessRules.ROLE_ADMINISTRATOR);
286: requiredaccepnonrecrules
287: .add(AvailableAccessRules.REGULAR_CREATECERTIFICATE);
288: requiredaccepnonrecrules
289: .add(AvailableAccessRules.REGULAR_STORECERTIFICATE);
290: requiredaccepnonrecrules
291: .add(AvailableAccessRules.REGULAR_VIEWCERTIFICATE);
292:
293: Iterator iter = currentaccessrules.iterator();
294: boolean illegal = false;
295: while (iter.hasNext()) {
296: AccessRule ar = (AccessRule) iter.next();
297: if (!isAllowedRAAdministratorRule(ar))
298: if (ar.getRule() == AccessRule.RULE_ACCEPT
299: && !ar.isRecursive()
300: && requiredaccepnonrecrules.contains(ar
301: .getAccessRule()))
302: requiredaccepnonrecrules.remove(ar
303: .getAccessRule());
304: else {
305: illegal = true;
306: break;
307: }
308: }
309: if (!illegal && requiredaccepnonrecrules.size() == 0)
310: returnval = true;
311: }
312:
313: return returnval;
314: }
315:
316: private boolean isAllowedRAAdministratorRule(AccessRule ar) {
317: boolean returnval = false;
318:
319: if (ar.getRule() == AccessRule.RULE_ACCEPT) {
320: if (ar.getAccessRule().equals(
321: AvailableAccessRules.HARDTOKEN_ISSUEHARDTOKENS))
322: returnval = true;
323: if (ar.isRecursive()) {
324: if (ar.getAccessRule().equals(
325: AvailableAccessRules.REGULAR_VIEWLOG))
326: returnval = true;
327: if (ar.getAccessRule().equals(
328: AvailableAccessRules.ENDENTITYPROFILEBASE)
329: || ar.getAccessRule().equals(
330: AvailableAccessRules.CABASE))
331: returnval = true;
332: } else {
333: if (ar.getAccessRule().startsWith(
334: AvailableAccessRules.REGULAR_RAFUNCTIONALITY
335: + "/")
336: && !ar
337: .getAccessRule()
338: .equals(
339: AvailableAccessRules.REGULAR_EDITENDENTITYPROFILES))
340: returnval = true;
341: if (ar.getAccessRule().startsWith(
342: AvailableAccessRules.ENDENTITYPROFILEPREFIX))
343: returnval = true;
344: if (ar.getAccessRule().startsWith(
345: AvailableAccessRules.CAPREFIX))
346: returnval = true;
347: }
348: }
349: return returnval;
350: }
351:
352: private boolean isSupervisor(Collection currentaccessrules) {
353: boolean returnval = false;
354:
355: if (currentaccessrules.size() >= 2) {
356: HashSet requiredacceptrecrules = new HashSet();
357: requiredacceptrecrules
358: .add(AvailableAccessRules.REGULAR_VIEWLOG);
359: HashSet requiredacceptnonrecrules = new HashSet();
360: requiredacceptnonrecrules
361: .add(AvailableAccessRules.ROLE_ADMINISTRATOR);
362: requiredacceptnonrecrules
363: .add(AvailableAccessRules.REGULAR_VIEWCERTIFICATE);
364: Iterator iter = currentaccessrules.iterator();
365: boolean illegal = false;
366: while (iter.hasNext()) {
367: AccessRule ar = (AccessRule) iter.next();
368: if (!isAllowedSupervisorRule(ar))
369: if (ar.getRule() == AccessRule.RULE_ACCEPT
370: && ar.isRecursive()
371: && requiredacceptrecrules.contains(ar
372: .getAccessRule()))
373: requiredacceptrecrules.remove(ar
374: .getAccessRule());
375: else if (ar.getRule() == AccessRule.RULE_ACCEPT
376: && !ar.isRecursive()
377: && requiredacceptnonrecrules.contains(ar
378: .getAccessRule()))
379: requiredacceptnonrecrules.remove(ar
380: .getAccessRule());
381: else {
382: illegal = true;
383: break;
384: }
385: }
386: if (!illegal && requiredacceptrecrules.size() == 0
387: && requiredacceptnonrecrules.size() == 0)
388: returnval = true;
389:
390: }
391:
392: return returnval;
393: }
394:
395: private boolean isAllowedSupervisorRule(AccessRule ar) {
396: boolean returnval = false;
397:
398: if (ar.getRule() == AccessRule.RULE_ACCEPT) {
399: if (ar.isRecursive()) {
400: if (ar.getAccessRule().equals(
401: AvailableAccessRules.ENDENTITYPROFILEBASE)
402: || ar.getAccessRule().equals(
403: AvailableAccessRules.CABASE))
404: returnval = true;
405: } else {
406: if (ar.getAccessRule().equals(
407: AvailableAccessRules.REGULAR_VIEWENDENTITY)
408: || ar
409: .getAccessRule()
410: .equals(
411: AvailableAccessRules.REGULAR_VIEWENDENTITYHISTORY)
412: || ar
413: .getAccessRule()
414: .equals(
415: AvailableAccessRules.REGULAR_VIEWHARDTOKENS))
416: returnval = true;
417: if (ar.getAccessRule().startsWith(
418: AvailableAccessRules.ENDENTITYPROFILEPREFIX))
419: returnval = true;
420: if (ar.getAccessRule().startsWith(
421: AvailableAccessRules.CAPREFIX))
422: returnval = true;
423: }
424: }
425: return returnval;
426: }
427:
428: private void initAvailableRules(boolean usehardtokens,
429: boolean usekeyrecovery, Collection availableaccessrules) {
430: availableendentityrules.add(new Integer(
431: BasicAccessRuleSet.ENDENTITY_VIEW));
432: availableendentityrules.add(new Integer(
433: BasicAccessRuleSet.ENDENTITY_VIEWHISTORY));
434: if (usehardtokens)
435: availableendentityrules.add(new Integer(
436: BasicAccessRuleSet.ENDENTITY_VIEWHARDTOKENS));
437: availableendentityrules.add(new Integer(
438: BasicAccessRuleSet.ENDENTITY_CREATE));
439: availableendentityrules.add(new Integer(
440: BasicAccessRuleSet.ENDENTITY_EDIT));
441: availableendentityrules.add(new Integer(
442: BasicAccessRuleSet.ENDENTITY_DELETE));
443: availableendentityrules.add(new Integer(
444: BasicAccessRuleSet.ENDENTITY_REVOKE));
445: availableendentityrules.add(new Integer(
446: BasicAccessRuleSet.ENDENTITY_APPROVE));
447: availableendentityrules.add(new Integer(
448: BasicAccessRuleSet.ENDENTITY_VIEWPUK));
449: if (usekeyrecovery)
450: availableendentityrules.add(new Integer(
451: BasicAccessRuleSet.ENDENTITY_KEYRECOVER));
452:
453: Iterator iter = availableaccessrules.iterator();
454: while (iter.hasNext()) {
455: String nextrule = (String) iter.next();
456: if (nextrule.equals(AvailableAccessRules.CABASE)) {
457: this .availablecas.add(new Integer(
458: BasicAccessRuleSet.CA_ALL));
459: } else if (nextrule
460: .startsWith(AvailableAccessRules.CAPREFIX)) {
461: this .availablecas.add(new Integer(nextrule
462: .substring(AvailableAccessRules.CAPREFIX
463: .length())));
464: } else if (nextrule
465: .equals(AvailableAccessRules.ENDENTITYPROFILEBASE)) {
466: this .availableendentityprofiles.add(new Integer(
467: BasicAccessRuleSet.ENDENTITYPROFILE_ALL));
468: } else if (nextrule
469: .startsWith(AvailableAccessRules.ENDENTITYPROFILEPREFIX)) {
470: if (nextrule.lastIndexOf('/') <= AvailableAccessRules.ENDENTITYPROFILEPREFIX
471: .length()) {
472: this .availableendentityprofiles
473: .add(new Integer(
474: nextrule
475: .substring(AvailableAccessRules.ENDENTITYPROFILEPREFIX
476: .length())));
477: } else {
478: String tmpString = nextrule
479: .substring(AvailableAccessRules.ENDENTITYPROFILEPREFIX
480: .length());
481: this .availableendentityprofiles.add(new Integer(
482: tmpString.substring(0, tmpString
483: .indexOf('/'))));
484: }
485: }
486: }
487:
488: this .availableotherrules.add(new Integer(
489: BasicAccessRuleSet.OTHER_VIEWLOG));
490: if (usehardtokens)
491: this .availableotherrules.add(new Integer(
492: BasicAccessRuleSet.OTHER_ISSUEHARDTOKENS));
493:
494: }
495:
496: private void initCurrentRules(Collection currentaccessrules) {
497: Iterator iter = currentaccessrules.iterator();
498: HashMap endentityrules = new HashMap();
499:
500: Integer general = new Integer(0);
501: endentityrules.put(general, new Integer(0));
502:
503: while (iter.hasNext()) {
504: AccessRule ar = (AccessRule) iter.next();
505:
506: if (ar.getAccessRule().startsWith(
507: AvailableAccessRules.REGULAR_RAFUNCTIONALITY)
508: && ar.getAccessRule().length() > AvailableAccessRules.REGULAR_RAFUNCTIONALITY
509: .length()
510: && !ar
511: .getAccessRule()
512: .equals(
513: AvailableAccessRules.REGULAR_EDITENDENTITYPROFILES)) {
514: if (ar.getRule() == AccessRule.RULE_ACCEPT
515: && !ar.isRecursive()) {
516: if (ar.getAccessRule().equals(
517: AvailableAccessRules.REGULAR_VIEWENDENTITY)) {
518:
519: currentendentityrules.add(new Integer(
520: BasicAccessRuleSet.ENDENTITY_VIEW));
521: endentityrules
522: .put(
523: general,
524: new Integer(
525: ((Integer) endentityrules
526: .get(general))
527: .intValue()
528: + BasicAccessRuleSet.ENDENTITY_VIEW));
529: } else if (ar
530: .getAccessRule()
531: .equals(
532: AvailableAccessRules.REGULAR_VIEWENDENTITYHISTORY)) {
533: currentendentityrules
534: .add(new Integer(
535: BasicAccessRuleSet.ENDENTITY_VIEWHISTORY));
536: endentityrules
537: .put(
538: general,
539: new Integer(
540: ((Integer) endentityrules
541: .get(general))
542: .intValue()
543: + BasicAccessRuleSet.ENDENTITY_VIEWHISTORY));
544: } else if (ar
545: .getAccessRule()
546: .equals(
547: AvailableAccessRules.REGULAR_CREATEENDENTITY)) {
548: currentendentityrules.add(new Integer(
549: BasicAccessRuleSet.ENDENTITY_CREATE));
550: endentityrules
551: .put(
552: general,
553: new Integer(
554: ((Integer) endentityrules
555: .get(general))
556: .intValue()
557: + BasicAccessRuleSet.ENDENTITY_CREATE));
558: } else if (ar
559: .getAccessRule()
560: .equals(
561: AvailableAccessRules.REGULAR_DELETEENDENTITY)) {
562: currentendentityrules.add(new Integer(
563: BasicAccessRuleSet.ENDENTITY_DELETE));
564: endentityrules
565: .put(
566: general,
567: new Integer(
568: ((Integer) endentityrules
569: .get(general))
570: .intValue()
571: + BasicAccessRuleSet.ENDENTITY_DELETE));
572: } else if (ar.getAccessRule().equals(
573: AvailableAccessRules.REGULAR_EDITENDENTITY)) {
574: currentendentityrules.add(new Integer(
575: BasicAccessRuleSet.ENDENTITY_EDIT));
576: endentityrules
577: .put(
578: general,
579: new Integer(
580: ((Integer) endentityrules
581: .get(general))
582: .intValue()
583: + BasicAccessRuleSet.ENDENTITY_EDIT));
584: } else if (ar
585: .getAccessRule()
586: .equals(
587: AvailableAccessRules.REGULAR_REVOKEENDENTITY)) {
588: currentendentityrules.add(new Integer(
589: BasicAccessRuleSet.ENDENTITY_REVOKE));
590: endentityrules
591: .put(
592: general,
593: new Integer(
594: ((Integer) endentityrules
595: .get(general))
596: .intValue()
597: + BasicAccessRuleSet.ENDENTITY_REVOKE));
598: } else if (ar
599: .getAccessRule()
600: .equals(
601: AvailableAccessRules.REGULAR_VIEWHARDTOKENS)) {
602: currentendentityrules
603: .add(new Integer(
604: BasicAccessRuleSet.ENDENTITY_VIEWHARDTOKENS));
605: endentityrules
606: .put(
607: general,
608: new Integer(
609: ((Integer) endentityrules
610: .get(general))
611: .intValue()
612: + BasicAccessRuleSet.ENDENTITY_VIEWHARDTOKENS));
613: } else if (ar.getAccessRule().equals(
614: AvailableAccessRules.REGULAR_KEYRECOVERY)) {
615: currentendentityrules
616: .add(new Integer(
617: BasicAccessRuleSet.ENDENTITY_KEYRECOVER));
618: endentityrules
619: .put(
620: general,
621: new Integer(
622: ((Integer) endentityrules
623: .get(general))
624: .intValue()
625: + BasicAccessRuleSet.ENDENTITY_KEYRECOVER));
626: } else if (ar
627: .getAccessRule()
628: .equals(
629: AvailableAccessRules.REGULAR_APPROVEENDENTITY)) {
630: currentendentityrules.add(new Integer(
631: BasicAccessRuleSet.ENDENTITY_APPROVE));
632: endentityrules
633: .put(
634: general,
635: new Integer(
636: ((Integer) endentityrules
637: .get(general))
638: .intValue()
639: + BasicAccessRuleSet.ENDENTITY_APPROVE));
640: } else if (ar.getAccessRule().equals(
641: AvailableAccessRules.REGULAR_VIEWPUKS)) {
642: currentendentityrules.add(new Integer(
643: BasicAccessRuleSet.ENDENTITY_VIEWPUK));
644: endentityrules
645: .put(
646: general,
647: new Integer(
648: ((Integer) endentityrules
649: .get(general))
650: .intValue()
651: + BasicAccessRuleSet.ENDENTITY_VIEWPUK));
652: }
653: } else {
654: this .forceadvanced = true;
655: break;
656: }
657: } else {
658: if (ar.getAccessRule().equals(
659: AvailableAccessRules.ENDENTITYPROFILEBASE)) {
660: if (ar.getRule() == AccessRule.RULE_ACCEPT
661: && ar.isRecursive()) {
662: this .currentendentityprofiles
663: .add(new Integer(
664: BasicAccessRuleSet.ENDENTITYPROFILE_ALL));
665: } else {
666: this .forceadvanced = true;
667: break;
668: }
669: } else if (ar.getAccessRule().startsWith(
670: AvailableAccessRules.ENDENTITYPROFILEPREFIX)) {
671: if (ar.getRule() == AccessRule.RULE_ACCEPT
672: && !ar.isRecursive()) {
673: Integer profileid = null;
674: if (ar.getAccessRule().lastIndexOf('/') > AvailableAccessRules.ENDENTITYPROFILEPREFIX
675: .length()) {
676: String tmpString = ar
677: .getAccessRule()
678: .substring(
679: AvailableAccessRules.ENDENTITYPROFILEPREFIX
680: .length());
681: profileid = new Integer(tmpString
682: .substring(0, tmpString
683: .indexOf('/')));
684: } else {
685: this .forceadvanced = true;
686: break;
687: }
688: int currentval = 0;
689: if (endentityrules.get(profileid) != null)
690: currentval = ((Integer) endentityrules
691: .get(profileid)).intValue();
692:
693: if (ar.getAccessRule().endsWith(
694: AvailableAccessRules.VIEW_RIGHTS)) {
695: currentval += BasicAccessRuleSet.ENDENTITY_VIEW;
696: } else if (ar.getAccessRule().endsWith(
697: AvailableAccessRules.HISTORY_RIGHTS)) {
698: currentval += BasicAccessRuleSet.ENDENTITY_VIEWHISTORY;
699: } else if (ar.getAccessRule().endsWith(
700: AvailableAccessRules.HARDTOKEN_RIGHTS)) {
701: currentval += BasicAccessRuleSet.ENDENTITY_VIEWHARDTOKENS;
702: } else if (ar.getAccessRule().endsWith(
703: AvailableAccessRules.CREATE_RIGHTS)) {
704: currentval += BasicAccessRuleSet.ENDENTITY_CREATE;
705: } else if (ar.getAccessRule().endsWith(
706: AvailableAccessRules.DELETE_RIGHTS)) {
707: currentval += BasicAccessRuleSet.ENDENTITY_DELETE;
708: } else if (ar.getAccessRule().endsWith(
709: AvailableAccessRules.EDIT_RIGHTS)) {
710: currentval += BasicAccessRuleSet.ENDENTITY_EDIT;
711: } else if (ar.getAccessRule().endsWith(
712: AvailableAccessRules.REVOKE_RIGHTS)) {
713: currentval += BasicAccessRuleSet.ENDENTITY_REVOKE;
714: } else if (ar
715: .getAccessRule()
716: .endsWith(
717: AvailableAccessRules.KEYRECOVERY_RIGHTS)) {
718: currentval += BasicAccessRuleSet.ENDENTITY_KEYRECOVER;
719: }
720: if (ar.getAccessRule().endsWith(
721: AvailableAccessRules.APPROVAL_RIGHTS)) {
722: currentval += BasicAccessRuleSet.ENDENTITY_APPROVE;
723: }
724: if (ar
725: .getAccessRule()
726: .endsWith(
727: AvailableAccessRules.HARDTOKEN_PUKDATA_RIGHTS)) {
728: currentval += BasicAccessRuleSet.ENDENTITY_VIEWPUK;
729: }
730: endentityrules.put(profileid, new Integer(
731: currentval));
732: } else {
733: this .forceadvanced = true;
734: break;
735: }
736: } else {
737: if (ar.getAccessRule().equals(
738: AvailableAccessRules.CABASE)) {
739: if (ar.getRule() == AccessRule.RULE_ACCEPT
740: && ar.isRecursive()) {
741: this .currentcas.add(new Integer(
742: BasicAccessRuleSet.CA_ALL));
743: } else {
744: this .forceadvanced = true;
745: break;
746: }
747: } else {
748: if (ar.getAccessRule().startsWith(
749: AvailableAccessRules.CAPREFIX)) {
750: if (ar.getRule() == AccessRule.RULE_ACCEPT
751: && !ar.isRecursive()) {
752: Integer caid = new Integer(
753: ar
754: .getAccessRule()
755: .substring(
756: AvailableAccessRules.CAPREFIX
757: .length()));
758: this .currentcas.add(caid);
759: } else {
760: this .forceadvanced = true;
761: break;
762: }
763: } else {
764: if (ar
765: .getAccessRule()
766: .equals(
767: AvailableAccessRules.REGULAR_VIEWLOG)) {
768: if (ar.getRule() == AccessRule.RULE_ACCEPT
769: && ar.isRecursive()) {
770: this .currentotherrules
771: .add(new Integer(
772: BasicAccessRuleSet.OTHER_VIEWLOG));
773: } else {
774: this .forceadvanced = true;
775: break;
776: }
777: } else if (ar
778: .getAccessRule()
779: .equals(
780: AvailableAccessRules.HARDTOKEN_ISSUEHARDTOKENS)) {
781: if (ar.getRule() == AccessRule.RULE_ACCEPT) {
782: this .currentotherrules
783: .add(new Integer(
784: BasicAccessRuleSet.OTHER_ISSUEHARDTOKENS));
785: } else {
786: this .forceadvanced = true;
787: break;
788: }
789: }
790: }
791: }
792: }
793: }
794: }
795:
796: int endentityruleval = ((Integer) endentityrules.get(general))
797: .intValue();
798:
799: iter = endentityrules.keySet().iterator();
800: while (iter.hasNext()) {
801: Integer next = (Integer) iter.next();
802: if (!next.equals(general)) {
803: if (((Integer) endentityrules.get(next)).intValue() == endentityruleval) {
804: this .currentendentityprofiles.add(next);
805: } else
806: this .forceadvanced = true;
807: }
808: }
809:
810: }
811:
812: }
|