/**
* Copyright (c) Members of the EGEE Collaboration. 2006-2009.
* See http://www.eu-egee.org/partners/ for details on the copyright holders.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.glite.authz.pap.authz.operations.highlevelpolicymanagement;
import java.util.List;
import org.glite.authz.pap.authz.BasePAPOperation;
import org.glite.authz.pap.authz.PAPPermission;
import org.glite.authz.pap.authz.PAPPermission.PermissionFlags;
import org.glite.authz.pap.common.Pap;
import org.glite.authz.pap.common.xacml.impl.TypeStringUtils;
import org.glite.authz.pap.common.xacml.utils.PolicySetHelper;
import org.glite.authz.pap.common.xacml.wizard.AttributeWizard;
import org.glite.authz.pap.common.xacml.wizard.PolicySetWizard;
import org.glite.authz.pap.common.xacml.wizard.PolicyWizard;
import org.glite.authz.pap.common.xacml.wizard.TargetWizard;
import org.glite.authz.pap.papmanagement.PapContainer;
import org.glite.authz.pap.papmanagement.PapManager;
import org.glite.authz.pap.services.XACMLPolicyManagementServiceException;
import org.opensaml.xacml.policy.EffectType;
import org.opensaml.xacml.policy.PolicySetType;
import org.opensaml.xacml.policy.PolicyType;
public class BanOperation extends BasePAPOperation<String> {
private String alias;
private AttributeWizard actionAttributeWizard;
private AttributeWizard banAttributeWizard;
private boolean isPublic;
private AttributeWizard resourceAttributeWizard;
protected BanOperation(String alias, AttributeWizard banAttributeWizard, AttributeWizard resourceAttributeWizard,
AttributeWizard actionAttributeWizard, boolean isPublic) {
this.alias = alias;
this.banAttributeWizard = banAttributeWizard;
this.resourceAttributeWizard = resourceAttributeWizard;
this.actionAttributeWizard = actionAttributeWizard;
this.isPublic = isPublic;
}
public static BanOperation instance(String alias, AttributeWizard banAttributeWizard,
AttributeWizard resourceAttributeWizard, AttributeWizard actionAttributeWizard, boolean isPublic) {
return new BanOperation(alias, banAttributeWizard, resourceAttributeWizard, actionAttributeWizard, isPublic);
}
protected String doExecute() {
boolean policySetNeedToBeSaved = true;
boolean updateOperationForPolicySet = false;
boolean updateOperationForPolicy = false;
if (alias == null) {
alias = Pap.DEFAULT_PAP_ALIAS;
}
Pap pap = PapManager.getInstance().getPap(alias);
if (pap.isRemote()) {
throw new XACMLPolicyManagementServiceException("Forbidden operation for a remote PAP");
}
PapContainer papContainer = new PapContainer(pap);
PolicySetType targetPolicySet = getTargetPolicySet(papContainer);
if (targetPolicySet == null) {
targetPolicySet = (new PolicySetWizard(resourceAttributeWizard)).getXACML();
} else {
updateOperationForPolicySet = true;
}
String policyId = null;
PolicyWizard targetPolicyWizard;
PolicyType candidatePolicy = getTargetPolicy(papContainer, targetPolicySet);
if (candidatePolicy == null) {
targetPolicyWizard = new PolicyWizard(actionAttributeWizard);
targetPolicyWizard.setPrivate(!isPublic);
policyId = targetPolicyWizard.getPolicyId();
PolicySetHelper.addPolicyReference(targetPolicySet, 0, policyId);
} else {
targetPolicyWizard = new PolicyWizard(candidatePolicy);
if (targetPolicyWizard.denyRuleForAttributeExists(banAttributeWizard)) {
// ban policy already exists
return null;
}
policyId = candidatePolicy.getPolicyId();
updateOperationForPolicy = true;
policySetNeedToBeSaved = false;
}
targetPolicyWizard.addRule(0, banAttributeWizard, EffectType.Deny);
// Store the ban policy and the policy set in which it is contained
// (only if needed)
if (policySetNeedToBeSaved) {
if (updateOperationForPolicySet) {
String oldVersion = targetPolicySet.getVersion();
PolicySetWizard.increaseVersion(targetPolicySet);
papContainer.updatePolicySet(oldVersion, targetPolicySet);
} else {
papContainer.addPolicySet(0, targetPolicySet);
}
} else {
TypeStringUtils.releaseUnneededMemory(targetPolicySet);
}
if (updateOperationForPolicy) {
String oldVersion = targetPolicyWizard.getVersionString();
targetPolicyWizard.increaseVersion();
papContainer.updatePolicy(oldVersion, targetPolicyWizard.getXACML());
} else {
papContainer.storePolicy(targetPolicyWizard.getXACML());
}
targetPolicyWizard.releaseChildrenDOM();
targetPolicyWizard.releaseDOM();
return policyId;
}
@Override
protected void setupPermissions() {
addRequiredPermission(PAPPermission.of(PermissionFlags.POLICY_WRITE));
}
private PolicyType getTargetPolicy(PapContainer papContainer, PolicySetType policySet) {
List<String> policyIdList = PolicySetHelper.getPolicyIdReferencesValues(policySet);
if (policyIdList.size() == 0) {
return null;
}
// get the target policy, it must be the very first policy
PolicyType candidatePolicy = papContainer.getPolicy(policyIdList.get(0));
PolicyType policy = null;;
TargetWizard policyTargetWizard = new TargetWizard(actionAttributeWizard);
if (policyTargetWizard.isEquivalent(candidatePolicy.getTarget())) {
policy = candidatePolicy;
if (PolicyWizard.isPublic(policy.getPolicyId()) != isPublic) {
return null;
}
}
return policy;
}
private PolicySetType getTargetPolicySet(PapContainer papContainer) {
// get the target policy set, it must be the very first policy set (if it exists)
PolicySetType targetPolicySet = null;
TargetWizard policySetTargetWizard = new TargetWizard(resourceAttributeWizard);
PolicySetType papRootPolicySet = papContainer.getRootPolicySet();
List<String> policySetIdList = PolicySetHelper.getPolicySetIdReferencesValues(papRootPolicySet);
TypeStringUtils.releaseUnneededMemory(papRootPolicySet);
if (policySetIdList.size() == 0) {
return null;
}
PolicySetType candidatePolicySet = papContainer.getPolicySet(policySetIdList.get(0));
if (policySetTargetWizard.isEquivalent(candidatePolicySet.getTarget())) {
targetPolicySet = candidatePolicySet;
}
return targetPolicySet;
}
}