protected RequestType createActionXACMLRequest(
String subject, AuthorizationInfo info, String action) {
logger.debug("Creating XACML request for subject: {} with action: {}", subject, action);
RequestType xacmlRequestType = new RequestType();
xacmlRequestType.setCombinedDecision(false);
xacmlRequestType.setReturnPolicyIdList(false);
AttributesType actionAttributes = new AttributesType();
actionAttributes.setCategory(XACMLConstants.ACTION_CATEGORY);
AttributeType actionAttribute = new AttributeType();
actionAttribute.setAttributeId(XACMLConstants.ACTION_ID);
actionAttribute.setIncludeInResult(false);
AttributeValueType actionValue = new AttributeValueType();
actionValue.setDataType(XACMLConstants.STRING_DATA_TYPE);
logger.trace("Adding action: {} for subject: {}", action, subject);
actionValue.getContent().add(action);
actionAttribute.getAttributeValue().add(actionValue);
actionAttributes.getAttribute().add(actionAttribute);
xacmlRequestType.getAttributes().add(actionAttributes);
// Adding permissions for the calling subject
AttributesType subjectAttributes = createSubjectAttributes(subject, info);
xacmlRequestType.getAttributes().add(subjectAttributes);
logger.debug(
"Successfully created XACML request for subject: {} with action: {}", subject, action);
return xacmlRequestType;
}
private AttributesType createSubjectAttributes(String subject, AuthorizationInfo info) {
AttributesType subjectAttributes = new AttributesType();
subjectAttributes.setCategory(XACMLConstants.ACCESS_SUBJECT_CATEGORY);
AttributeType subjectAttribute = new AttributeType();
subjectAttribute.setAttributeId(XACMLConstants.SUBJECT_ID);
subjectAttribute.setIncludeInResult(false);
AttributeValueType subjectValue = new AttributeValueType();
subjectValue.setDataType(XACMLConstants.STRING_DATA_TYPE);
logger.debug("Adding subject: {}", subject);
subjectValue.getContent().add(subject);
subjectAttribute.getAttributeValue().add(subjectValue);
subjectAttributes.getAttribute().add(subjectAttribute);
for (String curRole : info.getRoles()) {
AttributeType roleAttribute = new AttributeType();
roleAttribute.setAttributeId(XACMLConstants.ROLE_CLAIM);
roleAttribute.setIncludeInResult(false);
AttributeValueType roleValue = new AttributeValueType();
roleValue.setDataType(XACMLConstants.STRING_DATA_TYPE);
logger.trace("Adding role: {} for subject: {}", curRole, subject);
roleValue.getContent().add(curRole);
roleAttribute.getAttributeValue().add(roleValue);
subjectAttributes.getAttribute().add(roleAttribute);
}
for (Permission curPermission : info.getObjectPermissions()) {
if (curPermission instanceof KeyValuePermission) {
for (String curPermValue : ((KeyValuePermission) curPermission).getValues()) {
AttributeType subjAttr = new AttributeType();
AttributeValueType subjAttrValue = new AttributeValueType();
subjAttr.setAttributeId(((KeyValuePermission) curPermission).getKey());
subjAttr.setIncludeInResult(false);
subjAttrValue.setDataType(XACMLConstants.STRING_DATA_TYPE);
logger.trace(
"Adding permission: {}:{} for subject: {}",
new Object[] {((KeyValuePermission) curPermission).getKey(), curPermValue, subject});
subjAttrValue.getContent().add(curPermValue);
subjAttr.getAttributeValue().add(subjAttrValue);
subjectAttributes.getAttribute().add(subjAttr);
}
} else {
logger.warn(
"Permissions for subject were not of type KeyValuePermission, cannot add any subject permissions to the request.");
}
}
return subjectAttributes;
}
protected RequestType createRedactXACMLRequest(
String subject, AuthorizationInfo info, CollectionPermission permission) {
logger.debug(
"Creating XACML request for subject: {} and metacard permissions {}", subject, permission);
RequestType xacmlRequestType = new RequestType();
xacmlRequestType.setCombinedDecision(false);
xacmlRequestType.setReturnPolicyIdList(false);
// Adding filter action
AttributesType actionAttributes = new AttributesType();
actionAttributes.setCategory(XACMLConstants.ACTION_CATEGORY);
AttributeType actionAttribute = new AttributeType();
actionAttribute.setAttributeId(XACMLConstants.ACTION_ID);
actionAttribute.setIncludeInResult(false);
AttributeValueType actionValue = new AttributeValueType();
actionValue.setDataType(XACMLConstants.STRING_DATA_TYPE);
logger.trace("Adding action: {} for subject: {}", XACMLConstants.FILTER_ACTION, subject);
actionValue.getContent().add(XACMLConstants.FILTER_ACTION);
actionAttribute.getAttributeValue().add(actionValue);
actionAttributes.getAttribute().add(actionAttribute);
xacmlRequestType.getAttributes().add(actionAttributes);
// Adding permissions for the calling subject
AttributesType subjectAttributes = createSubjectAttributes(subject, info);
xacmlRequestType.getAttributes().add(subjectAttributes);
// Adding permissions for the resource
AttributesType metadataAttributes = new AttributesType();
metadataAttributes.setCategory(XACMLConstants.RESOURCE_CATEGORY);
if (permission instanceof KeyValueCollectionPermission) {
List<KeyValuePermission> tmpList =
((KeyValueCollectionPermission) permission).getKeyValuePermissionList();
for (KeyValuePermission curPermission : tmpList) {
for (String curPermValue : ((KeyValuePermission) curPermission).getValues()) {
AttributeType resourceAttribute = new AttributeType();
AttributeValueType resourceAttributeValue = new AttributeValueType();
resourceAttribute.setAttributeId(((KeyValuePermission) curPermission).getKey());
resourceAttribute.setIncludeInResult(false);
resourceAttributeValue.setDataType(XACMLConstants.STRING_DATA_TYPE);
logger.trace(
"Adding permission: {}:{} for incoming resource",
new Object[] {((KeyValuePermission) curPermission).getKey(), curPermValue});
resourceAttributeValue.getContent().add(curPermValue);
resourceAttribute.getAttributeValue().add(resourceAttributeValue);
metadataAttributes.getAttribute().add(resourceAttribute);
}
}
xacmlRequestType.getAttributes().add(metadataAttributes);
} else {
logger.warn(
"Permission on the resource need to be of type KeyValueCollectionPermission, cannot process this resource.");
}
return xacmlRequestType;
}
