diff options
Diffstat (limited to 'base/common/src/com/netscape/cms/evaluators')
4 files changed, 629 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java b/base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java new file mode 100644 index 000000000..530ca9447 --- /dev/null +++ b/base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java @@ -0,0 +1,183 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.evaluators; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.evaluators.IAccessEvaluator; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.usrgrp.IUGSubsystem; +import com.netscape.certsrv.usrgrp.IUser; +import com.netscape.cmsutil.util.Utils; + +/** + * A class represents a group acls evaluator. + * <P> + * + * @version $Revision$, $Date$ + */ +public class GroupAccessEvaluator implements IAccessEvaluator { + private String mType = "group"; + private IUGSubsystem mUG = null; + private String mDescription = "group membership evaluator"; + private ILogger mLogger = CMS.getLogger(); + + /** + * Class constructor. + */ + public GroupAccessEvaluator() { + + mUG = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); + + if (mUG == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUTOR_UG_NULL")); + } + } + + /** + * initialization. nothing for now. + */ + public void init() { + CMS.debug("GroupAccessEvaluator: init"); + } + + /** + * gets the type name for this acl evaluator + * + * @return type for this acl evaluator: "group" or "at_group" + */ + public String getType() { + return mType; + } + + /** + * gets the description for this acl evaluator + * + * @return description for this acl evaluator + */ + public String getDescription() { + return mDescription; + } + + public String[] getSupportedOperators() { + String[] s = new String[2]; + + s[0] = "="; + s[1] = "!="; + return s; + } + + /** + * evaluates uid in AuthToken to see if it has membership in + * group value + * + * @param authToken authentication token + * @param type must be "at_group" + * @param op must be "=" + * @param value the group name + * @return true if AuthToken uid belongs to the group value, + * false otherwise + */ + public boolean evaluate(IAuthToken authToken, String type, String op, String value) { + + if (type.equals(mType)) { + // should define "uid" at a common place + String uid = null; + + uid = authToken.getInString("userid"); + if (uid == null) { + uid = authToken.getInString("uid"); + if (uid == null) { + CMS.debug("GroupAccessEvaluator: evaluate: uid null"); + log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUTOR_UID_NULL")); + return false; + } + } + CMS.debug("GroupAccessEvaluator: evaluate: uid=" + uid + " value=" + value); + + String groupname = authToken.getInString("gid"); + + if (groupname != null) { + CMS.debug("GroupAccessEvaluator: evaluate: authToken gid=" + groupname); + if (op.equals("=")) { + return groupname.equals(Utils.stripQuotes(value)); + } else if (op.equals("!=")) { + return !groupname.equals(Utils.stripQuotes(value)); + } + } else { + CMS.debug("GroupAccessEvaluator: evaluate: no gid in authToken"); + IUser id = null; + try { + id = mUG.getUser(uid); + } catch (EBaseException e) { + CMS.debug("GroupAccessEvaluator: " + e.toString()); + return false; + } + + if (op.equals("=")) { + return mUG.isMemberOf(id, Utils.stripQuotes(value)); + } else if (op.equals("!=")) { + return !(mUG.isMemberOf(id, Utils.stripQuotes(value))); + } + } + } + + return false; + } + + /** + * evaluates uid in SessionContext to see if it has membership in + * group value + * + * @param type must be "group" + * @param op must be "=" + * @param value the group name + * @return true if SessionContext uid belongs to the group value, + * false otherwise + */ + public boolean evaluate(String type, String op, String value) { + + SessionContext mSC = SessionContext.getContext(); + + if (type.equals(mType)) { + IUser id = (IUser) mSC.get(SessionContext.USER); + + if (id == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUTOR_UID_NULL")); + return false; + } + if (op.equals("=")) + return mUG.isMemberOf(id, Utils.stripQuotes(value)); + else + return !(mUG.isMemberOf(id, Utils.stripQuotes(value))); + + } + + return false; + } + + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, + level, "GroupAccessEvaluator: " + msg); + } + +} diff --git a/base/common/src/com/netscape/cms/evaluators/IPAddressAccessEvaluator.java b/base/common/src/com/netscape/cms/evaluators/IPAddressAccessEvaluator.java new file mode 100644 index 000000000..17d383688 --- /dev/null +++ b/base/common/src/com/netscape/cms/evaluators/IPAddressAccessEvaluator.java @@ -0,0 +1,128 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.evaluators; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.evaluators.IAccessEvaluator; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.cmsutil.util.Utils; + +/** + * A class represents a IP address acls evaluator. + * <P> + * + * @version $Revision$, $Date$ + */ +public class IPAddressAccessEvaluator implements IAccessEvaluator { + private String mType = "ipaddress"; + private String mDescription = "IP Address evaluator"; + private ILogger mLogger = CMS.getLogger(); + + /** + * Class constructor. + */ + public IPAddressAccessEvaluator() { + } + + /** + * initialization. nothing for now. + */ + public void init() { + } + + /** + * gets the type name for this acl evaluator + * + * @return type for this acl evaluator: ipaddress + */ + public String getType() { + return mType; + } + + /** + * gets the description for this acl evaluator + * + * @return description for this acl evaluator + */ + public String getDescription() { + return mDescription; + } + + public String[] getSupportedOperators() { + String[] s = new String[2]; + + s[0] = "="; + s[1] = "!="; + return s; + } + + /** + * Gets the IP address from session context + * + * @param authToken authentication token + * @param type must be "ipaddress" + * @param op must be "=" or "!=" + * @param value the ipaddress + */ + public boolean evaluate(IAuthToken authToken, String type, String op, String value) { + + return evaluate(type, op, value); + } + + /** + * evaluates uid in SessionContext to see if it has membership in + * group value + * + * @param type must be "group" + * @param op must be "=" + * @param value the group name + * @return true if SessionContext uid belongs to the group value, + * false otherwise + */ + public boolean evaluate(String type, String op, String value) { + + SessionContext mSC = SessionContext.getContext(); + + value = Utils.stripQuotes(value); + String ipaddress = (String) mSC.get(SessionContext.IPADDRESS); + + if (type.equals(mType)) { + if (ipaddress == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUATOR_IPADDRESS_NULL")); + return false; + } + if (op.equals("=")) { + return ipaddress.matches(value); + } else { + return !(ipaddress.matches(value)); + } + + } + + return false; + } + + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, + level, "GroupAccessEvaluator: " + msg); + } +} diff --git a/base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java b/base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java new file mode 100644 index 000000000..bf7727c92 --- /dev/null +++ b/base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java @@ -0,0 +1,153 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.evaluators; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.evaluators.IAccessEvaluator; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.usrgrp.IUser; +import com.netscape.cmsutil.util.Utils; + +/** + * A class represents a user acls evaluator. + * <P> + * + * @version $Revision$, $Date$ + */ +public class UserAccessEvaluator implements IAccessEvaluator { + private String mType = "user"; + private String mDescription = "user equivalence evaluator"; + private ILogger mLogger = CMS.getLogger(); + + private final static String ANYBODY = "anybody"; + private final static String EVERYBODY = "everybody"; + + /** + * Class constructor. + */ + public UserAccessEvaluator() { + } + + /** + * initialization. nothing for now. + */ + public void init() { + CMS.debug("UserAccessEvaluator: init"); + } + + /** + * gets the type name for this acl evaluator + * + * @return type for this acl evaluator: "user" or "at_user" + */ + public String getType() { + return mType; + } + + /** + * gets the description for this acl evaluator + * + * @return description for this acl evaluator + */ + public String getDescription() { + return mDescription; + } + + public String[] getSupportedOperators() { + String[] s = new String[2]; + + s[0] = "="; + s[1] = "!="; + return s; + } + + /** + * Evaluates the user in AuthToken to see if it's equal to value + * + * @param authToken AuthToken from authentication + * @param type must be "at_user" + * @param op must be "=" + * @param value the user id + * @return true if AuthToken uid is same as value, false otherwise + */ + public boolean evaluate(IAuthToken authToken, String type, String op, String value) { + + if (type.equals(mType)) { + String s = Utils.stripQuotes(value); + + if ((s.equals(ANYBODY) || s.equals(EVERYBODY)) && op.equals("=")) + return true; + + // should define "uid" at a common place + String uid = null; + + uid = authToken.getInString("uid"); + + if (uid == null) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("EVALUTOR_UID_IS_NULL")); + return false; + } + + if (op.equals("=")) + return s.equalsIgnoreCase(uid); + else if (op.equals("!=")) + return !(s.equalsIgnoreCase(uid)); + } + + return false; + } + + /** + * Evaluates the user in session context to see if it's equal to value + * + * @param type must be "user" + * @param op must be "=" + * @param value the user id + * @return true if SessionContext uid is same as value, false otherwise + */ + public boolean evaluate(String type, String op, String value) { + + SessionContext mSC = SessionContext.getContext(); + + if (type.equals(mType)) { + String s = Utils.stripQuotes(value); + + if (s.equals(ANYBODY) && op.equals("=")) + return true; + + IUser id = (IUser) mSC.get(SessionContext.USER); + + if (op.equals("=")) + return s.equalsIgnoreCase(id.getName()); + else if (op.equals("!=")) + return !(s.equalsIgnoreCase(id.getName())); + } + + return false; + } + + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, + level, "UserAccessEvaluator: " + msg); + } + +} diff --git a/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java b/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java new file mode 100644 index 000000000..442828e75 --- /dev/null +++ b/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java @@ -0,0 +1,165 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2008 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.evaluators; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.evaluators.IAccessEvaluator; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.usrgrp.IUser; +import com.netscape.cmsutil.util.Utils; + +/** + * A class represents a user-origreq uid mapping acls evaluator. + * This is primarily used for renewal. During renewal, the orig_req + * uid is placed in the SessionContext of the renewal session context + * to be evaluated by this evaluator + * <P> + * + * @author Christina Fu + * @version $Revision$, $Date$ + */ +public class UserOrigReqAccessEvaluator implements IAccessEvaluator { + private String mType = "user_origreq"; + private String mDescription = "user origreq matching evaluator"; + private ILogger mLogger = CMS.getLogger(); + + private final static String ANYBODY = "anybody"; + private final static String EVERYBODY = "everybody"; + + /** + * Class constructor. + */ + public UserOrigReqAccessEvaluator() { + } + + /** + * initialization. nothing for now. + */ + public void init() { + CMS.debug("UserOrigReqAccessEvaluator: init"); + } + + /** + * gets the type name for this acl evaluator + * + * @return type for this acl evaluator: "user_origreq" or "at_user_origreq" + */ + public String getType() { + return mType; + } + + /** + * gets the description for this acl evaluator + * + * @return description for this acl evaluator + */ + public String getDescription() { + return mDescription; + } + + public String[] getSupportedOperators() { + String[] s = new String[2]; + + s[0] = "="; + s[1] = "!="; + return s; + } + + /** + * Evaluates the user in AuthToken to see if it's equal to value + * + * @param authToken AuthToken from authentication + * @param type must be "at_userreq" + * @param op must be "=" + * @param value the request param name + * @return true if AuthToken uid is same as value, false otherwise + */ + public boolean evaluate(IAuthToken authToken, String type, String op, String value) { + CMS.debug("UserOrigReqAccessEvaluator: evaluate() begins"); + if (type.equals(mType)) { + String s = Utils.stripQuotes(value); + + if ((s.equals(ANYBODY) || s.equals(EVERYBODY)) && op.equals("=")) + return true; + + // should define "uid" at a common place + String uid = null; + + uid = authToken.getInString("uid"); + + if (uid == null) { + CMS.debug("UserOrigReqAccessEvaluator: evaluate() uid in authtoken null"); + return false; + } else + CMS.debug("UserOrigReqAccessEvaluator: evaluate() uid in authtoken =" + uid); + + // find value of param in request + SessionContext mSC = SessionContext.getContext(); + CMS.debug("UserOrigReqAccessEvaluator: evaluate() getting " + "orig_req." + s + " in SessionContext"); + // "orig_req.auth_token.uid" + String orig_id = (String) mSC.get("orig_req." + s); + + if (orig_id == null) { + CMS.debug("UserOrigReqAccessEvaluator: evaluate() orig_id null"); + return false; + } + CMS.debug("UserOrigReqAccessEvaluator: evaluate() orig_id =" + orig_id); + if (op.equals("=")) + return uid.equalsIgnoreCase(orig_id); + else if (op.equals("!=")) + return !(uid.equalsIgnoreCase(orig_id)); + } + + return false; + } + + /** + * Evaluates the user in session context to see if it's equal to value + * + * @param type must be "user_origreq" + * @param op must be "=" + * @param value the user id + * @return true if SessionContext uid is same as value, false otherwise + */ + public boolean evaluate(String type, String op, String value) { + + SessionContext mSC = SessionContext.getContext(); + + if (type.equals(mType)) { + // what do I do with s here? + String s = Utils.stripQuotes(value); + + if (s.equals(ANYBODY) && op.equals("=")) + return true; + + IUser id = (IUser) mSC.get(SessionContext.USER); + // "orig_req.auth_token.uid" + String orig_id = (String) mSC.get("orig_req" + s); + + if (op.equals("=")) + return id.getName().equalsIgnoreCase(orig_id); + else if (op.equals("!=")) + return !(id.getName().equalsIgnoreCase(orig_id)); + } + + return false; + } + +} |