Source Code of org.glassfish.security.services.impl.authorization.AuthorizationServiceImpl

/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright (c) 2012 Oracle and/or its affiliates. All rights reserved.
 *
 * The contents of this file are subject to the terms of either the GNU
 * General Public License Version 2 only ("GPL") or the Common Development
 * and Distribution License("CDDL") (collectively, the "License").  You
 * may not use this file except in compliance with the License.  You can
 * obtain a copy of the License at
 * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
 * or packager/legal/LICENSE.txt.  See the License for the specific
 * language governing permissions and limitations under the License.
 *
 * When distributing the software, include this License Header Notice in each
 * file and include the License file at packager/legal/LICENSE.txt.
 *
 * GPL Classpath Exception:
 * Oracle designates this particular file as subject to the "Classpath"
 * exception as provided by Oracle in the GPL Version 2 section of the License
 * file that accompanied this code.
 *
 * Modifications:
 * If applicable, add the following below the License Header, with the fields
 * enclosed by brackets [] replaced by your own identifying information:
 * "Portions Copyright [year] [name of copyright owner]"
 *
 * Contributor(s):
 * If you wish your version of this file to be governed by only the CDDL or
 * only the GPL Version 2, indicate your decision by adding "[Contributor]
 * elects to include this software in this distribution under the [CDDL or GPL
 * Version 2] license."  If you don't indicate a single choice of license, a
 * recipient has the option to distribute your version of this file under
 * either the CDDL, the GPL Version 2 or to extend the choice of license to
 * its licensees as provided above.  However, if you add GPL Version 2 code
 * and therefore, elected the GPL Version 2 license, then the option applies
 * only if the new code is made subject to such option by the copyright
 * holder.
 */
package org.glassfish.security.services.impl.authorization;

import java.net.URI;
import java.security.Permission;
import java.util.Set;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.security.Policy;
import java.security.CodeSource;
import java.security.CodeSigner;
import javax.security.auth.Subject;

import org.glassfish.internal.api.ServerContext;
import org.glassfish.security.services.api.authorization.AuthorizationService;
import org.glassfish.security.services.api.authorization.AzAction;
import org.glassfish.security.services.api.authorization.AzResource;
import org.glassfish.security.services.api.authorization.AzResult;
import org.glassfish.security.services.api.authorization.AzSubject;
import org.glassfish.security.services.api.context.SecurityContextService;
import org.glassfish.security.services.config.SecurityConfiguration;
import org.glassfish.security.services.impl.ServiceFactory;


//import org.jvnet.hk2.annotations.Inject;
import javax.inject.Inject;
import javax.inject.Singleton;
import org.jvnet.hk2.annotations.Service;
import org.glassfish.hk2.api.PostConstruct;
import org.glassfish.hk2.api.ServiceLocator;

import com.sun.enterprise.config.serverbeans.Domain;
import com.sun.logging.LogDomains;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.glassfish.security.services.api.authorization.*;
import org.glassfish.security.services.api.authorization.AzResult.Decision;
import org.glassfish.security.services.api.authorization.AzResult.Status;
import org.glassfish.security.services.api.common.Attributes;

import org.glassfish.security.services.config.SecurityProvider;
import org.glassfish.security.services.spi.AuthorizationProvider;


@Service
@Singleton
public class AuthorizationServiceImpl implements AuthorizationService, PostConstruct {

    protected static final Logger _logger =
        LogDomains.getLogger(AuthorizationServiceImpl.class, LogDomains.SECURITY_LOGGER);

    @Inject
    private Domain domain;

    //TODO: do context switch
    @Inject
    ServerContext serverContext;

    @Inject
    private ServiceLocator serviceLocator;

    @Inject
    private SecurityContextService securityContextService;

    private org.glassfish.security.services.config.AuthorizationService atzSvCfg;

    private SecurityProvider atzPrvConfig;

    private AuthorizationProvider atzProvider;

    private static final CodeSource NULL_CODESOURCE = new CodeSource(null, (CodeSigner[])null);

    @Override
    public void initialize(SecurityConfiguration securityServiceConfiguration) {

        //get service level config
        atzSvCfg = (org.glassfish.security.services.config.AuthorizationService) securityServiceConfiguration;

        if (atzSvCfg == null) {
            atzProvider = createDefaultProvider();
            _logger.log(Level.WARNING, "The Authorization service is not configured in the domain configuration file; using a trivial default implementation which authorizes all access");
        } else {

            //get provider level config
            //consider only one provider for now
            atzPrvConfig = atzSvCfg.getSecurityProviders().get(0);

            if (atzPrvConfig == null)
                throw new RuntimeException("No provider  configured for the Authorization service in the domain configuration file");

                //get the provider
                atzProvider = serviceLocator.getService(AuthorizationProvider.class, atzPrvConfig.getName());
        }

        //init the provider  -- use the first config under the provider config???
        atzProvider.initialize(atzPrvConfig);
    }

    @Override
  public boolean isPermissionGranted(Subject subject, Permission permission) {

        Set<Principal> principalset = subject.getPrincipals();
        Principal[] principalAr = (principalset.size() == 0) ? null : principalset.toArray(new Principal[principalset.size()]);
        ProtectionDomain pd = new ProtectionDomain(NULL_CODESOURCE, null, null, principalAr);
        Policy policy = Policy.getPolicy();
        boolean result = policy.implies(pd, permission);

        return result;
  }

    @Override
  public boolean isAuthorized(Subject subject, URI resource) {
    return isAuthorized(subject, resource, "*");
  }

    @Override
  public boolean isAuthorized(Subject subject, URI resource, String action) {
      AzResult azResult =
          getAuthorizationDecision(makeAzSubject(subject), makeAzResource(resource), makeAzAction(action));

      boolean result = false;

      if ( (AzResult.Decision.PERMIT.equals(azResult.getDecision())) &&
           (AzResult.Status.OK.equals(azResult.getStatus())) )
          result = true;

      return result;
  }

    @Override
  public AzResult getAuthorizationDecision(AzSubject subject,
      AzResource resource, AzAction action) {
        //TODO: setup current AzEnvironment instance. Should a null or empty instance to represent current environment?
                final AzEnvironment env = new AzEnvironmentImpl();
                final Attributes attrs = securityContextService.getEnvironmentAttributes();
                for (String attrName : attrs.getAttributeNames()) {
                    env.addAttribute(attrName, attrs.getAttributeValue(attrName), true);
                }
    return atzProvider.getAuthorizationDecision(subject, resource, action, env);
  }

    @Override
  public AzSubject makeAzSubject(Subject subject) {

      if (subject == null)
          return null;

      AzSubject azs = new AzSubjectImpl();

      Set<Principal> principals = subject.getPrincipals();

      String AttName = Principal.class.getSimpleName();
      for (Principal p : principals) {
          String pname = p.getName();
          azs.addAttribute(AttName, pname, false);
      }

    return azs;
  }

    @Override
  public AzResource makeAzResource(URI resource) {

      if (resource == null)
          return null;

      String attName = URI.class.getSimpleName();

      AzResource azr = new AzResourceImpl();
      azr.addAttribute(attName, resource.toString(), false);

    return azr;
  }

    @Override
  public AzAction makeAzAction(String action) {
      if (action == null)
          return null;

      AzAction aza = new AzActionImpl();

      aza.addAttribute("ACTION", action, false);
    return aza;
  }

    @Override
  public PolicyDeploymentContext findOrCreateDeploymentContext(
      String appContext) {
    return atzProvider.findOrCreateDeployContext(appContext);
  }

   @Override
    public void postConstruct() {

        org.glassfish.security.services.config.AuthorizationService atzConfiguration =
           ServiceFactory.getSecurityServiceConfiguration(
                   domain, org.glassfish.security.services.config.AuthorizationService.class);

        initialize(atzConfiguration);
    }

    private AuthorizationProvider createDefaultProvider() {
        return new AuthorizationProvider() {

            @Override
            public AzResult getAuthorizationDecision(AzSubject subject, AzResource resource, AzAction action, AzEnvironment environment) {
                return new AzResultImpl(Decision.PERMIT, Status.OK, new AzObligationsImpl());
            }

            @Override
            public PolicyDeploymentContext findOrCreateDeployContext(String appContext) {
                return null;
            }

            @Override
            public void initialize(SecurityProvider providerConfig) {
            }
        };
   }
}