diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java')
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java | 171 |
1 files changed, 171 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java b/pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java new file mode 100644 index 000000000..e5faeeff5 --- /dev/null +++ b/pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java @@ -0,0 +1,171 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2008 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.evaluators; + + +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.usrgrp.*; +import com.netscape.certsrv.evaluators.*; +import com.netscape.certsrv.authentication.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.acls.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.usrgrp.*; +import com.netscape.cmsutil.util.*; + + +/** + * A class represents a user-origreq uid mapping acls evaluator. + * This is primarily used for renewal. During renewal, the orig_req + * uid is placed in the SessionContext of the renewal session context + * to be evaluated by this evaluator + * <P> + * + * @author Christina Fu + * @version $Revision$, $Date$ + */ +public class UserOrigReqAccessEvaluator implements IAccessEvaluator { + private String mType = "user_origreq"; + private String mDescription = "user origreq matching evaluator"; + private ILogger mLogger = CMS.getLogger(); + + private final static String ANYBODY = "anybody"; + private final static String EVERYBODY = "everybody"; + + /** + * Class constructor. + */ + public UserOrigReqAccessEvaluator() { + } + + /** + * initialization. nothing for now. + */ + public void init() { + CMS.debug("UserOrigReqAccessEvaluator: init"); + } + + /** + * gets the type name for this acl evaluator + * @return type for this acl evaluator: "user_origreq" or "at_user_origreq" + */ + public String getType() { + return mType; + } + + /** + * gets the description for this acl evaluator + * @return description for this acl evaluator + */ + public String getDescription() { + return mDescription; + } + + public String[] getSupportedOperators() { + String[] s = new String[2]; + + s[0] = "="; + s[1] = "!="; + return s; + } + + /** + * Evaluates the user in AuthToken to see if it's equal to value + * @param authToken AuthToken from authentication + * @param type must be "at_userreq" + * @param op must be "=" + * @param value the request param name + * @return true if AuthToken uid is same as value, false otherwise + */ + public boolean evaluate(IAuthToken authToken, String type, String op, String value) { + CMS.debug("UserOrigReqAccessEvaluator: evaluate() begins"); + if (type.equals(mType)) { + String s = Utils.stripQuotes(value); + + if ((s.equals(ANYBODY) || s.equals(EVERYBODY)) && op.equals("=")) + return true; + + // should define "uid" at a common place + String uid = null; + + uid = authToken.getInString("uid"); + + if (uid == null) { + CMS.debug("UserOrigReqAccessEvaluator: evaluate() uid in authtoken null"); + return false; + } else + CMS.debug("UserOrigReqAccessEvaluator: evaluate() uid in authtoken ="+ uid); + + // find value of param in request + SessionContext mSC = SessionContext.getContext(); + CMS.debug("UserOrigReqAccessEvaluator: evaluate() getting "+"orig_req."+s+ " in SessionContext"); + // "orig_req.auth_token.uid" + String orig_id = (String) mSC.get("orig_req."+s); + + if (orig_id == null) { + CMS.debug("UserOrigReqAccessEvaluator: evaluate() orig_id null"); + return false; + } + CMS.debug("UserOrigReqAccessEvaluator: evaluate() orig_id ="+ orig_id); + if (op.equals("=")) + return uid.equalsIgnoreCase(orig_id); + else if (op.equals("!=")) + return !(uid.equalsIgnoreCase(orig_id)); + } + + return false; + } + + /** + * Evaluates the user in session context to see if it's equal to value + * @param type must be "user_origreq" + * @param op must be "=" + * @param value the user id + * @return true if SessionContext uid is same as value, false otherwise + */ + public boolean evaluate(String type, String op, String value) { + + SessionContext mSC = SessionContext.getContext(); + + if (type.equals(mType)) { +// what do I do with s here? + String s = Utils.stripQuotes(value); + + if (s.equals(ANYBODY) && op.equals("=")) + return true; + + IUser id = (IUser) mSC.get(SessionContext.USER); + // "orig_req.auth_token.uid" + String orig_id = (String) mSC.get("orig_req"+s); + + if (op.equals("=")) + return id.getName().equalsIgnoreCase(orig_id); + else if (op.equals("!=")) + return !(id.getName().equalsIgnoreCase(orig_id)); + } + + return false; + } + private void log(int level, String msg) { + if (mLogger == null) + return; + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_ACLS, + level, "UserOrigReqAccessEvaluator: " + msg); + } + +} |