@Override
public final void enforceGetObjectXML(Context context, String pid, String objectXmlEncoding)
throws AuthzException {
try {
logger.debug("Entered enforceGetObjectXML");
String target = Constants.ACTION.GET_OBJECT_XML.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
try {
resourceAttributes.set(Constants.OBJECT.ENCODING.attributeId, objectXmlEncoding);
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(
target + " couldn't set " + Constants.OBJECT.ENCODING.uri, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIM.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforceGetObjectXML");
}
}
@Override
public void enforceGetObjectProfile(Context context, String pid, Date asOfDate)
throws AuthzException {
try {
logger.debug("Entered enforceGetObjectProfile");
String target = Constants.ACTION.GET_OBJECT_PROFILE.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
try {
resourceAttributes.set(
Constants.RESOURCE.AS_OF_DATETIME.attributeId, ensureDate(asOfDate, context));
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(
target + " couldn't set " + Constants.RESOURCE.AS_OF_DATETIME.uri, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIA.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforceGetObjectProfile");
}
}
@Override
public void enforcePurgeRelationship(
Context context,
String pid,
String predicate,
String object,
boolean isLiteral,
String datatype)
throws AuthzException {
try {
logger.debug("Entered enforcePurgeRelationship");
String target = Constants.ACTION.PURGE_RELATIONSHIP.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
try {
resourceAttributes.set(Constants.OBJECT.PID.attributeId, pid);
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(
target + " couldn't set " + Constants.OBJECT.PID.uri, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIM.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforcePurgeRelationship");
}
}
@Override
public final void enforceIngest(Context context, String pid, String format, String ingestEncoding)
throws AuthzException {
try {
logger.debug("Entered enforceIngest");
String target = Constants.ACTION.INGEST.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
URI name = null;
try {
name = Constants.OBJECT.FORMAT_URI.attributeId;
resourceAttributes.set(name, format);
name = Constants.OBJECT.ENCODING.attributeId;
resourceAttributes.set(name, ingestEncoding);
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(target + " couldn't set " + name, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIM.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforceIngest");
}
}
private Decision executePDP(boolean logobligation, String format) {
// Setup PDP - reuse PDPOnePolicyDataStore.properties
PolicyDecisionPoint pdp = null;
try {
Properties props = new Properties();
URL url = ClassLoader.getSystemResource("PDPOnePolicyDataStore.properties");
props.load(url.openStream());
// Just to ensure cache is reloaded
props.setProperty(
"PDP_ETAG", logobligation ? "10101" + format.hashCode() : "10102" + format.hashCode());
if (logobligation) props.setProperty("PDP_LOG_OBLIGATION", "true");
else props.setProperty("PDP_LOG_OBLIGATION", "false");
props.setProperty("PDP_LOG_OBLIGATION_FORMAT", format);
pdp = PolicyEnforcementPoint.getPDP(props);
} catch (Exception ex) {
System.out.println("Properties File not found:" + ex);
ex.printStackTrace();
return null;
}
// Get Decision
Target resource = new Target("web", "http://www.ebay.com/xxx");
List<Environment> env = new ArrayList<Environment>();
Environment env1 = new Environment("session", "env1");
env1.setAttribute("authn.level", new Integer(0));
env1.setAttribute("role", "manager");
env.add(env1);
Decision decision = pdp.getPolicyDecision(resource, env);
return decision;
}
@Override
public void enforceRetrieveFile(Context context, String fileURI) throws AuthzException {
try {
logger.debug("Entered enforceRetrieveFile for {}", fileURI);
String target = Constants.ACTION.RETRIEVE_FILE.uri;
context.setActionAttributes(null);
try {
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
resourceAttributes.set(Constants.DATASTREAM.FILE_URI.attributeId, fileURI);
context.setResourceAttributes(resourceAttributes);
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(
target + " couldn't be set " + Constants.DATASTREAM.FILE_URI.uri, e);
}
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIM.uri,
"",
extractNamespace(fileURI),
context);
} finally {
logger.debug("Exiting enforceRetrieveFile");
}
}
@Override
public final void enforceModifyObject(
Context context, String pid, String objectNewState, String objectNewOwnerId)
throws AuthzException {
try {
logger.debug("Entered enforceModifyObject");
String target = Constants.ACTION.MODIFY_OBJECT.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
URI name = null;
try {
name = Constants.OBJECT.NEW_STATE.attributeId;
resourceAttributes.set(name, objectNewState);
if (objectNewOwnerId != null) {
name = Constants.OBJECT.OWNER.attributeId;
resourceAttributes.set(name, objectNewOwnerId.split(m_ownerIdSeparator));
}
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(target + " couldn't set " + name, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIM.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforceModifyObject");
}
}
@Override
public final void enforceGetDatastreamHistory(Context context, String pid, String datastreamId)
throws AuthzException {
try {
logger.debug("Entered enforceGetDatastreamHistory");
String target = Constants.ACTION.GET_DATASTREAM_HISTORY.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
try {
resourceAttributes.set(Constants.DATASTREAM.ID.attributeId, datastreamId);
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(
target + " couldn't set " + Constants.DATASTREAM.ID.uri, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIM.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforceGetDatastreamHistory");
}
}
@Override
public void enforceGetDatastreamDissemination(
Context context, String pid, String datastreamId, Date asOfDate) throws AuthzException {
try {
logger.debug("Entered enforceGetDatastreamDissemination");
String target = Constants.ACTION.GET_DATASTREAM_DISSEMINATION.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
URI name = null;
try {
name = Constants.DATASTREAM.ID.attributeId;
resourceAttributes.set(name, datastreamId);
name = Constants.RESOURCE.AS_OF_DATETIME.attributeId;
resourceAttributes.set(name, ensureDate(asOfDate, context));
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(target + " couldn't set " + name, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIA.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforceGetDatastreamDissemination");
}
}
@Override
public void enforce_Internal_DSState(Context context, String id, String state)
throws AuthzException {
try {
logger.debug("Entered enforce_Internal_DSState");
String target = Constants.ACTION.INTERNAL_DSSTATE.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
try {
resourceAttributes.set(Constants.DATASTREAM.ID.attributeId, id);
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(
target + " couldn't set " + Constants.DATASTREAM.ID.uri, e);
}
try {
resourceAttributes.set(Constants.DATASTREAM.STATE.attributeId, state);
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(
target + " couldn't set " + Constants.DATASTREAM.STATE.uri, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIA.uri,
"",
"",
context);
} finally {
logger.debug("Exiting enforce_Internal_DSState");
}
}
@Override
public final void enforceGetNextPid(Context context, String namespace, int nNewPids)
throws AuthzException {
try {
logger.debug("Entered enforceGetNextPid");
String target = Constants.ACTION.GET_NEXT_PID.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
try {
String nNewPidsAsString = Integer.toString(nNewPids);
resourceAttributes.set(Constants.OBJECT.N_PIDS.attributeId, nNewPidsAsString);
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(
target + " couldn't set " + Constants.OBJECT.N_PIDS.uri, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIM.uri,
"",
namespace,
context);
} finally {
logger.debug("Exiting enforceGetNextPid");
}
}
@Override
public final void enforceSetDatastreamVersionable(
Context context, String pid, String datastreamId, boolean datastreamNewVersionable)
throws AuthzException {
try {
logger.debug("Entered enforceSetDatastreamVersionable");
String target = Constants.ACTION.SET_DATASTREAM_VERSIONABLE.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
URI name = null;
try {
name = Constants.DATASTREAM.ID.attributeId;
resourceAttributes.set(name, datastreamId);
name = Constants.DATASTREAM.NEW_VERSIONABLE.attributeId;
resourceAttributes.set(name, new Boolean(datastreamNewVersionable).toString());
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(target + " couldn't set " + name, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIM.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforceSetDatastreamVersionable");
}
}
@SuppressWarnings("deprecation")
@Override
public void enforceGetDissemination(
Context context,
String pid,
String sDefPid,
String methodName,
Date asOfDate,
String objectState,
String sDefState,
String sDepPid,
String sDepState,
String dissState)
throws AuthzException {
try {
logger.debug("Entered enforceGetDissemination");
String target = Constants.ACTION.GET_DISSEMINATION.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
URI name = null;
try {
name = Constants.SDEF.PID.attributeId;
resourceAttributes.set(name, sDefPid);
name = Constants.SDEF.NAMESPACE.attributeId;
resourceAttributes.set(name, extractNamespace(sDefPid));
name = Constants.DISSEMINATOR.METHOD.attributeId;
resourceAttributes.set(name, methodName);
name = Constants.SDEP.PID.attributeId;
resourceAttributes.set(name, sDepPid);
name = Constants.SDEP.NAMESPACE.attributeId;
resourceAttributes.set(name, extractNamespace(sDepPid));
name = Constants.OBJECT.STATE.attributeId;
resourceAttributes.set(name, objectState);
name = Constants.DISSEMINATOR.STATE.attributeId;
resourceAttributes.set(name, dissState);
name = Constants.SDEF.STATE.attributeId;
resourceAttributes.set(name, sDefState);
name = Constants.SDEP.STATE.attributeId;
resourceAttributes.set(name, sDepState);
name = Constants.RESOURCE.AS_OF_DATETIME.attributeId;
resourceAttributes.set(name, ensureDate(asOfDate, context));
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(target + " couldn't set " + name, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIA.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforceGetDissemination");
}
}
/**
* Enforce authorization for adding a datastream to an object. Provide attributes for the
* authorization decision and wrap that xacml decision.
*
* <p>The following attributes are available for use in authorization policies during a call to
* this method.
*
* <p>action attributes
*
* <ul>
* <li>urn:fedora:names:fedora:2.1:action:id ==
* urn:fedora:names:fedora:2.1:action:id-addDatastream
* <li>urn:fedora:names:fedora:2.1:action:api == urn:fedora:names:fedora:2.1:action:api-m
* </ul>
*
* <p>resource attributes of object to which datastream would be added
*
* <ul>
* <li>urn:fedora:names:fedora:2.1:resource:object:pid
* <li>urn:fedora:names:fedora:2.1:resource:object:namespace (if pid is "x:y", namespace is "x")
* </ul>
*
* <p>resource attributes of datastream which would be added
*
* <ul>
* <li>urn:fedora:names:fedora:2.1:resource:datastream:mimeType
* <li>urn:fedora:names:fedora:2.1:resource:datastream:formatUri
* <li>urn:fedora:names:fedora:2.1:resource:datastream:state
* <li>urn:fedora:names:fedora:2.1:resource:datastream:id
* <li>urn:fedora:names:fedora:2.1:resource:datastream:location
* <li>urn:fedora:names:fedora:2.1:resource:datastream:controlGroup
* <li>urn:fedora:names:fedora:2.1:resource:datastream:altIds
* <li>urn:fedora:names:fedora:2.1:resource:datastream:checksumType
* <li>urn:fedora:names:fedora:2.1:resource:datastream:checksum
* </ul>
*/
@Override
public final void enforceAddDatastream(
Context context,
String pid,
String dsId,
String[] altIDs,
String MIMEType,
String formatURI,
String dsLocation,
String controlGroup,
String dsState,
String checksumType,
String checksum)
throws AuthzException {
try {
logger.debug("Entered enforceAddDatastream");
String target = Constants.ACTION.ADD_DATASTREAM.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
URI name = null;
try {
name = Constants.DATASTREAM.MIME_TYPE.attributeId;
resourceAttributes.set(name, MIMEType);
name = Constants.DATASTREAM.FORMAT_URI.attributeId;
resourceAttributes.set(name, formatURI);
name = Constants.DATASTREAM.STATE.attributeId;
resourceAttributes.set(name, dsState);
name = Constants.DATASTREAM.ID.attributeId;
resourceAttributes.set(name, dsId);
name = Constants.DATASTREAM.LOCATION.attributeId;
resourceAttributes.set(name, dsLocation);
name = Constants.DATASTREAM.CONTROL_GROUP.attributeId;
resourceAttributes.set(name, controlGroup);
name = Constants.DATASTREAM.ALT_IDS.attributeId;
resourceAttributes.set(name, altIDs);
name = Constants.DATASTREAM.CHECKSUM_TYPE.attributeId;
resourceAttributes.set(name, checksumType);
name = Constants.DATASTREAM.CHECKSUM.attributeId;
resourceAttributes.set(name, checksum);
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(target + " couldn't set " + name, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIM.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforceAddDatastream");
}
}
@Override
public void enforceReloadPolicies(Context context) throws AuthzException {
try {
logger.debug("Entered enforceReloadPolicies");
String target = Constants.ACTION.RELOAD_POLICIES.uri;
context.setResourceAttributes(null);
context.setActionAttributes(null);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri), target, "", "", "", context);
} finally {
logger.debug("Exiting enforceReloadPolicies");
}
}
@Override
public void postInitModule() throws ModuleInitializationException {
try {
getServer()
.getStatusFile()
.append(ServerState.STARTING, "Initializing XACML Authorization Module");
xacmlPep =
getServer().getBean(PolicyEnforcementPoint.class.getName(), PolicyEnforcementPoint.class);
xacmlPep.newPdp();
} catch (Throwable e1) {
throw new ModuleInitializationException(e1.getMessage(), getRole(), e1);
}
}
@Override
public final void enforceModifyDatastreamByReference(
Context context,
String pid,
String datastreamId,
String[] datastreamNewAltIDs,
String datastreamNewMimeType,
String datastreamNewFormatURI,
String datastreamNewLocation,
String datastreamNewChecksumType,
String datastreamNewChecksum)
throws AuthzException {
try {
logger.debug("Entered enforceModifyDatastreamByReference");
String target = Constants.ACTION.MODIFY_DATASTREAM_BY_REFERENCE.uri;
context.setActionAttributes(null);
MultiValueMap<URI> resourceAttributes = new MultiValueMap<URI>();
URI name = null;
try {
name = Constants.DATASTREAM.ID.attributeId;
resourceAttributes.set(name, datastreamId);
name = Constants.DATASTREAM.NEW_MIME_TYPE.attributeId;
resourceAttributes.set(name, datastreamNewMimeType);
name = Constants.DATASTREAM.NEW_FORMAT_URI.attributeId;
resourceAttributes.set(name, datastreamNewFormatURI);
name = Constants.DATASTREAM.NEW_LOCATION.attributeId;
resourceAttributes.set(name, datastreamNewLocation);
name = Constants.DATASTREAM.NEW_ALT_IDS.attributeId;
resourceAttributes.set(name, datastreamNewAltIDs);
name = Constants.DATASTREAM.NEW_CHECKSUM_TYPE.attributeId;
resourceAttributes.set(name, datastreamNewChecksumType);
name = Constants.DATASTREAM.NEW_CHECKSUM.attributeId;
resourceAttributes.set(name, datastreamNewChecksum);
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(target + " couldn't set " + name, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIM.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforceModifyDatastreamByReference");
}
}
@Override
public void enforceGetObjectHistory(Context context, String pid) throws AuthzException {
try {
logger.debug("Entered enforceGetObjectHistory");
String target = Constants.ACTION.GET_OBJECT_HISTORY.uri;
context.setActionAttributes(null);
context.setResourceAttributes(null);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIA.uri,
pid,
extractNamespace(pid),
context);
} finally {
logger.debug("Exiting enforceGetObjectHistory");
}
}
@Override
public void enforceRIFindObjects(Context context) throws AuthzException {
try {
logger.debug("Entered enforceRIFindObjects");
String target = Constants.ACTION.RI_FIND_OBJECTS.uri;
context.setActionAttributes(null);
context.setResourceAttributes(null);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIA.uri,
"",
"",
context);
} finally {
logger.debug("Exiting enforceRIFindObjects");
}
}
@Override
public void enforceDescribeRepository(Context context) throws AuthzException {
try {
logger.debug("Entered enforceDescribeRepository");
String target = Constants.ACTION.DESCRIBE_REPOSITORY.uri;
context.setActionAttributes(null);
context.setResourceAttributes(null);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIA.uri,
"",
"",
context);
} finally {
logger.debug("Exiting enforceDescribeRepository");
}
}
@Override
public final void enforceListObjectInResourceIndexResults(Context context, String pid)
throws AuthzException {
try {
logger.debug("Entered enforceListObjectInResourceIndexResults");
String target = Constants.ACTION.LIST_OBJECT_IN_RESOURCE_INDEX_RESULTS.uri;
if (enforceListObjectInResourceIndexResults) {
context.setActionAttributes(null);
context.setResourceAttributes(null);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target,
Constants.ACTION.APIA.uri,
pid,
extractNamespace(pid),
context);
}
} finally {
logger.debug("Exiting enforceListObjectInResourceIndexResults");
}
}
@Override
public void enforceResolveDatastream(Context context, Date ticketIssuedDateTime)
throws AuthzException {
try {
logger.debug("Entered enforceResolveDatastream");
String target = Constants.ACTION.RESOLVE_DATASTREAM.uri;
context.setResourceAttributes(null);
MultiValueMap<URI> actionAttributes = new MultiValueMap<URI>();
try {
String ticketIssuedDateTimeString = DateUtility.convertDateToString(ticketIssuedDateTime);
actionAttributes.set(
Constants.RESOURCE.TICKET_ISSUED_DATETIME.attributeId, ticketIssuedDateTimeString);
} catch (Exception e) {
context.setActionAttributes(null);
throw new AuthzOperationalException(
target + " couldn't set " + Constants.RESOURCE.TICKET_ISSUED_DATETIME.uri, e);
}
context.setActionAttributes(actionAttributes);
xacmlPep.enforce(
context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri), target, "", "", "", context);
} finally {
logger.debug("Exiting enforceResolveDatastream");
}
}
@Override
public void reloadPolicies(Context context) throws Exception {
enforceReloadPolicies(context);
xacmlPep.newPdp();
}
