diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java')
| -rw-r--r-- | pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java | 885 |
1 files changed, 462 insertions, 423 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java b/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java index 151fef180..95d668283 100644 --- a/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java +++ b/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmscore.policy; + import java.util.Enumeration; import java.util.Hashtable; import java.util.StringTokenizer; @@ -47,17 +48,20 @@ import com.netscape.cmscore.request.ARequestQueue; import com.netscape.cmscore.util.AssertionException; import com.netscape.cmscore.util.Debug; + /** - * This is a Generic policy processor. The three main functions of this class - * are: 1. To initialize policies by reading policy configuration from the - * config file, and maintain 5 sets of policies - viz Enrollment, Renewal, - * Revocation and KeyRecovery and KeyArchival. 2. To apply the configured - * policies on the given request. 3. To enable policy listing/configuration via - * MCC console. - * - * Since the policy processor also implements the IPolicy interface the - * processor itself presents itself as one big policy to the request processor. - * + * This is a Generic policy processor. The three main functions of + * this class are: + * 1. To initialize policies by reading policy configuration from the + * config file, and maintain 5 sets of policies - viz Enrollment, + * Renewal, Revocation and KeyRecovery and KeyArchival. + * 2. To apply the configured policies on the given request. + * 3. To enable policy listing/configuration via MCC console. + * + * Since the policy processor also implements the IPolicy interface + * the processor itself presents itself as one big policy to the + * request processor. + * * @author kanda * @version $Revision$, $Date$ */ @@ -67,10 +71,12 @@ public class GenericPolicyProcessor implements IPolicyProcessor { protected IAuthority mAuthority = null; // Default System Policies - public final static String[] DEF_POLICIES = { "com.netscape.cms.policy.constraints.ManualAuthentication" }; + public final static String[] DEF_POLICIES = + {"com.netscape.cms.policy.constraints.ManualAuthentication"}; // Policies that can't be deleted nor disabled. - public final static Hashtable DEF_UNDELETABLE_POLICIES = new Hashtable(); + public final static Hashtable DEF_UNDELETABLE_POLICIES = + new Hashtable(); private String mId = "Policy"; private Vector mPolicyOrder = new Vector(); @@ -119,9 +125,9 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } /** - * Returns the configuration store. + * Returns the configuration store. * <P> - * + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -131,24 +137,24 @@ public class GenericPolicyProcessor implements IPolicyProcessor { /** * Initializes the PolicyProcessor * <P> - * + * * @param owner owner of this subsystem * @param config configuration of this subsystem * @exception EBaseException failed to initialize this Subsystem. */ public synchronized void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { // Debug.trace("GenericPolicyProcessor::init"); CMS.debug("GenericPolicyProcessor::init begins"); mAuthority = (IAuthority) owner; mConfig = config; - mGlobalStore = SubsystemRegistry.getInstance().get("MAIN") - .getConfigStore(); + mGlobalStore = + SubsystemRegistry.getInstance().get("MAIN").getConfigStore(); try { IConfigStore configStore = CMS.getConfigStore(); - String PKI_Subsystem = configStore - .getString("subsystem.0.id", null); + String PKI_Subsystem = configStore.getString( "subsystem.0.id", + null ); // CMS 6.1 began utilizing the "Certificate Profiles" framework // instead of the legacy "Certificate Policies" framework. @@ -158,31 +164,34 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // that this legacy "Certificate Policies" framework would be // deprecated and disabled by default (see Bugzilla Bug #472597). // - // NOTE: The "Certificate Policies" framework ONLY applied to - // to CA, KRA, and legacy RA (pre-CMS 7.0) subsystems. + // NOTE: The "Certificate Policies" framework ONLY applied to + // to CA, KRA, and legacy RA (pre-CMS 7.0) subsystems. // - if (PKI_Subsystem.trim().equalsIgnoreCase("ca") - || PKI_Subsystem.trim().equalsIgnoreCase("kra")) { - String policyStatus = PKI_Subsystem.trim().toLowerCase() + "." - + "Policy" + "." + IPolicyProcessor.PROP_ENABLE; - - if (configStore.getBoolean(policyStatus, true) == true) { - // NOTE: If "<subsystem>.Policy.enable=<boolean>" is - // missing, then the referenced instance existed - // prior to this name=value pair existing in its - // 'CS.cfg' file, and thus we err on the - // side that the user may still need to - // use the policy framework. - CMS.debug("GenericPolicyProcessor::init Certificate " - + "Policy Framework (deprecated) " + "is ENABLED"); + if( PKI_Subsystem.trim().equalsIgnoreCase( "ca" ) || + PKI_Subsystem.trim().equalsIgnoreCase( "kra" ) ) { + String policyStatus = PKI_Subsystem.trim().toLowerCase() + + "." + "Policy" + + "." + IPolicyProcessor.PROP_ENABLE; + + if( configStore.getBoolean( policyStatus, true ) == true ) { + // NOTE: If "<subsystem>.Policy.enable=<boolean>" is + // missing, then the referenced instance existed + // prior to this name=value pair existing in its + // 'CS.cfg' file, and thus we err on the + // side that the user may still need to + // use the policy framework. + CMS.debug( "GenericPolicyProcessor::init Certificate " + + "Policy Framework (deprecated) " + + "is ENABLED" ); } else { - // CS 8.1 Default: <subsystem>.Policy.enable=false - CMS.debug("GenericPolicyProcessor::init Certificate " - + "Policy Framework (deprecated) " + "is DISABLED"); + // CS 8.1 Default: <subsystem>.Policy.enable=false + CMS.debug( "GenericPolicyProcessor::init Certificate " + + "Policy Framework (deprecated) " + + "is DISABLED" ); return; } } - } catch (EBaseException e) { + } catch( EBaseException e ) { throw e; } @@ -206,38 +215,39 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // The implementation id should be unique if (mImplTable.containsKey(id)) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_DUPLICATE_IMPL_ID", id)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_DUPLICATE_IMPL_ID", id)); String clPath = c.getString(id + "." + PROP_CLASS); // We should n't let the CatchAll policies to be configurable. if (isSystemDefaultPolicy(clPath)) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_SYSTEM_POLICY_CONFIG_ERROR", clPath)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_SYSTEM_POLICY_CONFIG_ERROR", clPath)); - // Verify if the class is a valid implementation of - // IPolicyRule + // Verify if the class is a valid implementation of + // IPolicyRule try { Object o = Class.forName(clPath).newInstance(); - if (!(o instanceof IEnrollmentPolicy) - && !(o instanceof IRenewalPolicy) - && !(o instanceof IRevocationPolicy) - && !(o instanceof IKeyRecoveryPolicy) - && !(o instanceof IKeyArchivalPolicy)) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_IMPL", clPath)); + if (!(o instanceof IEnrollmentPolicy) && + !(o instanceof IRenewalPolicy) && + !(o instanceof IRevocationPolicy) && + !(o instanceof IKeyRecoveryPolicy) && + !(o instanceof IKeyArchivalPolicy)) + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_IMPL", clPath)); } catch (EBaseException e) { throw e; } catch (Exception e) { Debug.printStackTrace(e); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_NO_POLICY_IMPL", id)); + throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_NO_POLICY_IMPL", + id)); } // Register the implementation. - RegisteredPolicy regPolicy = new RegisteredPolicy(id, clPath); + RegisteredPolicy regPolicy = + new RegisteredPolicy(id, clPath); mImplTable.put(id, regPolicy); } @@ -265,13 +275,13 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // The instance id should be unique if (mInstanceTable.containsKey(instanceName)) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_DUPLICATE_INST_ID", instanceName)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_DUPLICATE_INST_ID", instanceName)); c = ruleStore.getSubStore(instanceName); if (c == null || c.size() == 0) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_NO_POLICY_CONFIG", instanceName)); + throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_NO_POLICY_CONFIG", + instanceName)); IPolicyRule rule = null; String implName; boolean enabled; @@ -280,41 +290,40 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // If the policy rule is not enabled, skip it. String enabledStr = c.getString(PROP_ENABLE, null); - if (enabledStr == null || enabledStr.trim().length() == 0 - || enabledStr.trim().equalsIgnoreCase("true")) + if (enabledStr == null || enabledStr.trim().length() == 0 || + enabledStr.trim().equalsIgnoreCase("true")) enabled = true; else enabled = false; implName = c.getString(PROP_IMPL_NAME, null); if (implName == null) { - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_NO_POLICY_CONFIG", instanceName)); + throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_NO_POLICY_CONFIG", + instanceName)); } // Make an instance of the specified policy. - RegisteredPolicy regPolicy = (RegisteredPolicy) mImplTable - .get(implName); + RegisteredPolicy regPolicy = + (RegisteredPolicy) mImplTable.get(implName); if (regPolicy == null) { - String[] params = { implName, instanceName }; + String[] params = {implName, instanceName}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_IMPL_NOT_FOUND", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_IMPL_NOT_FOUND", params)); } - + String classpath = regPolicy.getClassPath(); try { - rule = (IPolicyRule) Class.forName(classpath).newInstance(); + rule = (IPolicyRule) + Class.forName(classpath).newInstance(); if (rule instanceof IPolicyRule) ((IPolicyRule) rule).setInstanceName(instanceName); rule.init(this, c); } catch (Throwable e) { - mAuthority.log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSCORE_POLICY_INIT_FAILED", instanceName, - e.toString())); - // disable rule initialized if there is + mAuthority.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_POLICY_INIT_FAILED", instanceName, e.toString())); + // disable rule initialized if there is // configuration error enabled = false; c.putString(PROP_ENABLE, "false"); @@ -323,10 +332,9 @@ public class GenericPolicyProcessor implements IPolicyProcessor { if (rule == null) continue; - // Read the predicate expression if any associated - // with the rule - String exp = c.getString(GenericPolicyProcessor.PROP_PREDICATE, - null); + // Read the predicate expression if any associated + // with the rule + String exp = c.getString(GenericPolicyProcessor.PROP_PREDICATE, null); if (exp != null) exp = exp.trim(); @@ -336,14 +344,14 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } // Add the rule to the instance table - mInstanceTable.put(instanceName, new PolicyInstance(instanceName, - implName, rule, enabled)); + mInstanceTable.put(instanceName, + new PolicyInstance(instanceName, implName, rule, enabled)); if (!enabled) continue; - // Add the rule to the policy set according to category if a - // rule is enabled. + // Add the rule to the policy set according to category if a + // rule is enabled. addRule(instanceName, rule); } @@ -364,8 +372,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { /** * Apply policies on the given request. - * - * @param IRequest The given request + * + * @param IRequest The given request * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -375,19 +383,18 @@ public class GenericPolicyProcessor implements IPolicyProcessor { CMS.debug("GenericPolicyProcessor: apply begins"); if (op == null) { CMS.debug("GenericPolicyProcessor: apply op null"); - // throw new - // AssertionException("Missing operation type in request. Can't happen!"); - // Return ACCEPTED for now. Looks like even get CA chain - // is being passed in here with request type set elsewhere - // on the request. + // throw new AssertionException("Missing operation type in request. Can't happen!"); + // Return ACCEPTED for now. Looks like even get CA chain + // is being passed in here with request type set elsewhere + // on the request. return PolicyResult.ACCEPTED; } if (isProfileRequest(req)) { - Debug.trace("GenericPolicyProcessor: Profile-base Request " - + req.getRequestId().toString()); + Debug.trace("GenericPolicyProcessor: Profile-base Request " + + req.getRequestId().toString()); return PolicyResult.ACCEPTED; } - CMS.debug("GenericPolicyProcessor: apply not ProfileRequest. op=" + op); + CMS.debug("GenericPolicyProcessor: apply not ProfileRequest. op="+op); if (op.equalsIgnoreCase(IRequest.ENROLLMENT_REQUEST)) rules = mEnrollmentRules; @@ -402,8 +409,7 @@ public class GenericPolicyProcessor implements IPolicyProcessor { else { // It aint' a CMP request. We don't care. return PolicyResult.ACCEPTED; - // throw new - // AssertionException("Invalid request type. Can't Happen!"); + // throw new AssertionException("Invalid request type. Can't Happen!"); } // ((PolicySet)rules).printPolicies(); @@ -415,11 +421,11 @@ public class GenericPolicyProcessor implements IPolicyProcessor { return PolicyResult.ACCEPTED; /** - * setError(req, PolicyResources.NO_RULES_CONFIGURED, op); return - * PolicyResult.REJECTED; + setError(req, PolicyResources.NO_RULES_CONFIGURED, op); + return PolicyResult.REJECTED; **/ } - CMS.debug("GenericPolicyProcessor: apply: rules.count=" + rules.count()); + CMS.debug("GenericPolicyProcessor: apply: rules.count="+ rules.count()); // request must be up to date or can't process it. PolicyResult res = PolicyResult.ACCEPTED; @@ -472,12 +478,12 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { while (enum1.hasMoreElements()) { - RegisteredPolicy regPolicy = (RegisteredPolicy) enum1 - .nextElement(); + RegisteredPolicy regPolicy = + (RegisteredPolicy) enum1.nextElement(); // Make an Instance of it - IPolicyRule ruleImpl = (IPolicyRule) Class.forName( - regPolicy.getClassPath()).newInstance(); + IPolicyRule ruleImpl = (IPolicyRule) + Class.forName(regPolicy.getClassPath()).newInstance(); impls.addElement(ruleImpl); } @@ -495,8 +501,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { while (enum1.hasMoreElements()) { - RegisteredPolicy regPolicy = (RegisteredPolicy) enum1 - .nextElement(); + RegisteredPolicy regPolicy = + (RegisteredPolicy) enum1.nextElement(); impls.addElement(regPolicy.getId()); @@ -509,15 +515,16 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } public IPolicyRule getPolicyImpl(String id) { - RegisteredPolicy regImpl = (RegisteredPolicy) mImplTable.get(id); + RegisteredPolicy regImpl = (RegisteredPolicy) + mImplTable.get(id); if (regImpl == null) return null; IPolicyRule impl = null; try { - impl = (IPolicyRule) Class.forName(regImpl.getClassPath()) - .newInstance(); + impl = + (IPolicyRule) Class.forName(regImpl.getClassPath()).newInstance(); } catch (Exception e) { Debug.printStackTrace(e); } @@ -538,15 +545,17 @@ public class GenericPolicyProcessor implements IPolicyProcessor { return v; } - public void deletePolicyImpl(String id) throws EBaseException { + public void deletePolicyImpl(String id) + throws EBaseException { // First check if the id is valid; - RegisteredPolicy regPolicy = (RegisteredPolicy) mImplTable.get(id); + RegisteredPolicy regPolicy = + (RegisteredPolicy) mImplTable.get(id); if (regPolicy == null) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_NO_POLICY_IMPL", id)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_NO_POLICY_IMPL", id)); - // If any instance exists for this impl, can't delete it. + // If any instance exists for this impl, can't delete it. boolean instanceExist = false; Enumeration e = mInstanceTable.elements(); @@ -559,14 +568,15 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } } if (instanceExist) // we found an instance - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_ACTIVE_POLICY_RULES_EXIST", id)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_ACTIVE_POLICY_RULES_EXIST", id)); - // Else delete the implementation + // Else delete the implementation mImplTable.remove(id); - IConfigStore policyStore = mGlobalStore - .getSubStore(getPolicySubstoreId()); - IConfigStore implStore = policyStore.getSubStore(PROP_IMPL); + IConfigStore policyStore = + mGlobalStore.getSubStore(getPolicySubstoreId()); + IConfigStore implStore = + policyStore.getSubStore(PROP_IMPL); implStore.removeSubStore(id); @@ -575,58 +585,60 @@ public class GenericPolicyProcessor implements IPolicyProcessor { mGlobalStore.commit(true); } catch (Exception ex) { Debug.printStackTrace(ex); - String[] params = { "implementation", id }; + String[] params = {"implementation", id}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_DELETING_POLICY_ERROR", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_DELETING_POLICY_ERROR", params)); } } public void addPolicyImpl(String id, String classPath) - throws EBaseException { + throws EBaseException { // See if the id is unique if (mImplTable.containsKey(id)) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_DUPLICATE_IMPL_ID", id)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_DUPLICATE_IMPL_ID", id)); - // See if the classPath is ok + // See if the classPath is ok Object impl = null; try { impl = Class.forName(classPath).newInstance(); - } catch (Exception e) { - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_NO_POLICY_IMPL", id)); + }catch (Exception e) { + throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_NO_POLICY_IMPL", + id)); } // Does the class implement one of the four interfaces? - if (!(impl instanceof IEnrollmentPolicy) - && !(impl instanceof IRenewalPolicy) - && !(impl instanceof IRevocationPolicy) - && !(impl instanceof IKeyRecoveryPolicy) - && !(impl instanceof IKeyArchivalPolicy)) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_IMPL", classPath)); - - // Add the implementation to the registry - RegisteredPolicy regPolicy = new RegisteredPolicy(id, classPath); + if (!(impl instanceof IEnrollmentPolicy) && + !(impl instanceof IRenewalPolicy) && + !(impl instanceof IRevocationPolicy) && + !(impl instanceof IKeyRecoveryPolicy) && + !(impl instanceof IKeyArchivalPolicy)) + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_IMPL", classPath)); + + // Add the implementation to the registry + RegisteredPolicy regPolicy = + new RegisteredPolicy(id, classPath); mImplTable.put(id, regPolicy); // Store the impl in the configuration. - IConfigStore policyStore = mGlobalStore - .getSubStore(getPolicySubstoreId()); - IConfigStore implStore = policyStore.getSubStore(PROP_IMPL); + IConfigStore policyStore = + mGlobalStore.getSubStore(getPolicySubstoreId()); + IConfigStore implStore = + policyStore.getSubStore(PROP_IMPL); IConfigStore newStore = implStore.makeSubStore(id); newStore.put(PROP_CLASS, classPath); try { mGlobalStore.commit(true); } catch (Exception e) { - String[] params = { "implementation", id }; + String[] params = {"implementation", id}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_ADDING_POLICY_ERROR", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_ADDING_POLICY_ERROR", params)); } } @@ -637,8 +649,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { while (enum1.hasMoreElements()) { - PolicyInstance instance = (PolicyInstance) mInstanceTable - .get((String) enum1.nextElement()); + PolicyInstance instance = + (PolicyInstance) mInstanceTable.get((String) enum1.nextElement()); rules.addElement(instance.getRule()); @@ -658,8 +670,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { while (enum1.hasMoreElements()) { String ruleName = (String) enum1.nextElement(); - PolicyInstance instance = (PolicyInstance) mInstanceTable - .get(ruleName); + PolicyInstance instance = + (PolicyInstance) mInstanceTable.get(ruleName); rules.addElement(instance.getRuleInfo()); } @@ -671,13 +683,15 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } public IPolicyRule getPolicyInstance(String id) { - PolicyInstance policyInstance = (PolicyInstance) mInstanceTable.get(id); + PolicyInstance policyInstance = (PolicyInstance) + mInstanceTable.get(id); return (policyInstance == null) ? null : policyInstance.getRule(); } public Vector getPolicyInstanceConfig(String id) { - PolicyInstance policyInstance = (PolicyInstance) mInstanceTable.get(id); + PolicyInstance policyInstance = (PolicyInstance) + mInstanceTable.get(id); if (policyInstance == null) return null; @@ -695,22 +709,25 @@ public class GenericPolicyProcessor implements IPolicyProcessor { return v; } - public void deletePolicyInstance(String id) throws EBaseException { + public void deletePolicyInstance(String id) + throws EBaseException { // If the rule is a persistent rule, we can't delete it. if (mUndeletablePolicies.containsKey(id)) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_CANT_DELETE_PERSISTENT_POLICY", id)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_CANT_DELETE_PERSISTENT_POLICY", id)); - // First check if the instance is present. - PolicyInstance instance = (PolicyInstance) mInstanceTable.get(id); + // First check if the instance is present. + PolicyInstance instance = + (PolicyInstance) mInstanceTable.get(id); if (instance == null) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_INSTANCE", id)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_INSTANCE", id)); - IConfigStore policyStore = mGlobalStore - .getSubStore(getPolicySubstoreId()); - IConfigStore instanceStore = policyStore.getSubStore(PROP_RULE); + IConfigStore policyStore = + mGlobalStore.getSubStore(getPolicySubstoreId()); + IConfigStore instanceStore = + policyStore.getSubStore(PROP_RULE); instanceStore.removeSubStore(id); @@ -730,10 +747,10 @@ public class GenericPolicyProcessor implements IPolicyProcessor { mPolicyOrder.insertElementAt(id, index); Debug.printStackTrace(e); - String[] params = { "instance", id }; + String[] params = {"instance", id}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_DELETING_POLICY_ERROR", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_DELETING_POLICY_ERROR", params)); } IPolicyRule rule = instance.getRule(); @@ -749,30 +766,31 @@ public class GenericPolicyProcessor implements IPolicyProcessor { if (rule instanceof IKeyArchivalPolicy) mKeyArchivalRules.removeRule(id); - // Delete the instance + // Delete the instance mInstanceTable.remove(id); } public void addPolicyInstance(String id, Hashtable ht) - throws EBaseException { + throws EBaseException { // The instance id should be unique if (getPolicyInstance(id) != null) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_DUPLICATE_INST_ID", id)); - // There should be an implmentation for this rule. + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_DUPLICATE_INST_ID", id)); + // There should be an implmentation for this rule. String implName = (String) ht.get(IPolicyRule.PROP_IMPLNAME); // See if there is an implementation with this name. IPolicyRule rule = getPolicyImpl(implName); if (rule == null) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_NO_POLICY_IMPL", implName)); - - // Prepare config file entries. - IConfigStore policyStore = mGlobalStore - .getSubStore(getPolicySubstoreId()); - IConfigStore instanceStore = policyStore.getSubStore(PROP_RULE); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_NO_POLICY_IMPL", implName)); + + // Prepare config file entries. + IConfigStore policyStore = + mGlobalStore.getSubStore(getPolicySubstoreId()); + IConfigStore instanceStore = + policyStore.getSubStore(PROP_RULE); IConfigStore newStore = instanceStore.makeSubStore(id); for (Enumeration keys = ht.keys(); keys.hasMoreElements();) { @@ -783,7 +801,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } // Set the order string. - policyStore.put(PROP_ORDER, getRuleOrderString(mPolicyOrder, id)); + policyStore.put(PROP_ORDER, + getRuleOrderString(mPolicyOrder, id)); // Try to initialize this rule. rule.init(this, newStore); @@ -792,11 +811,11 @@ public class GenericPolicyProcessor implements IPolicyProcessor { String enabledStr = (String) ht.get(IPolicyRule.PROP_ENABLE); boolean active = false; - if (enabledStr == null || enabledStr.trim().length() == 0 - || enabledStr.equalsIgnoreCase("true")) + if (enabledStr == null || enabledStr.trim().length() == 0 || + enabledStr.equalsIgnoreCase("true")) active = true; - // Set the predicate if any present on the rule. + // Set the predicate if any present on the rule. String predicate = ((String) ht.get(IPolicyRule.PROP_PREDICATE)).trim(); IExpression exp = null; @@ -808,15 +827,15 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { mGlobalStore.commit(true); } catch (Exception e) { - String[] params = { "instance", id }; + String[] params = {"instance", id}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_ADDING_POLICY_ERROR", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_ADDING_POLICY_ERROR", params)); } // Add the rule to the instance table. - PolicyInstance policyInst = new PolicyInstance(id, implName, rule, - active); + PolicyInstance policyInst = new PolicyInstance(id, implName, + rule, active); mInstanceTable.put(id, policyInst); @@ -831,79 +850,84 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } public void modifyPolicyInstance(String id, Hashtable ht) - throws EBaseException { + throws EBaseException { // The instance id should be there already - PolicyInstance policyInstance = (PolicyInstance) mInstanceTable.get(id); + PolicyInstance policyInstance = (PolicyInstance) + mInstanceTable.get(id); if (policyInstance == null) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_INSTANCE", id)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_INSTANCE", id)); IPolicyRule rule = policyInstance.getRule(); // The impl id shouldn't change String implId = (String) ht.get(IPolicyRule.PROP_IMPLNAME); if (!implId.equals(policyInstance.getImplId())) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_IMPLCHANGE_ERROR", id)); - - // Make a new rule instance + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_IMPLCHANGE_ERROR", id)); + + // Make a new rule instance IPolicyRule newRule = getPolicyImpl(implId); if (newRule == null) // Can't happen, but just in case.. - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_IMPL", implId)); - - // Try to init this rule. - IConfigStore policyStore = mGlobalStore - .getSubStore(getPolicySubstoreId()); - IConfigStore instanceStore = policyStore.getSubStore(PROP_RULE); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_IMPL", implId)); + + // Try to init this rule. + IConfigStore policyStore = + mGlobalStore.getSubStore(getPolicySubstoreId()); + IConfigStore instanceStore = + policyStore.getSubStore(PROP_RULE); IConfigStore oldStore = instanceStore.getSubStore(id); IConfigStore newStore = new PropConfigStore(id); - + // See if the rule is disabled. String enabledStr = (String) ht.get(IPolicyRule.PROP_ENABLE); boolean active = false; - if (enabledStr == null || enabledStr.trim().length() == 0 - || enabledStr.equalsIgnoreCase("true")) + if (enabledStr == null || enabledStr.trim().length() == 0 || + enabledStr.equalsIgnoreCase("true")) active = true; - // Set the predicate expression. + // Set the predicate expression. String predicate = ((String) ht.get(IPolicyRule.PROP_PREDICATE)).trim(); IExpression exp = null; if (predicate.trim().length() > 0) exp = PolicyPredicateParser.parse(predicate.trim()); - // See if this a persistent rule. + // See if this a persistent rule. if (mUndeletablePolicies.containsKey(id)) { // A persistent rule can't be disabled. if (!active) { - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_PERSISTENT_RULE_INACTIVE", id)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_INACTIVE", id)); } - IExpression defPred = (IExpression) mUndeletablePolicies.get(id); + IExpression defPred = (IExpression) + mUndeletablePolicies.get(id); if (defPred == SimpleExpression.NULL_EXPRESSION) defPred = null; if (exp == null && defPred != null) { - String[] params = { id, defPred.toString(), "null" }; + String[] params = {id, defPred.toString(), + "null" }; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } else if (exp != null && defPred == null) { - String[] params = { id, "null", exp.toString() }; + String[] params = {id, "null", exp.toString()}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } else if (exp != null && defPred != null) { if (!defPred.toString().equals(exp.toString())) { - String[] params = { id, defPred.toString(), exp.toString() }; + String[] params = {id, defPred.toString(), + exp.toString() }; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } } } @@ -911,8 +935,9 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // Predicate for the persistent rule can't be changed. ht.put(IPolicyRule.PROP_ENABLE, String.valueOf(active)); - // put old config store parameters first. - for (Enumeration oldkeys = oldStore.keys(); oldkeys.hasMoreElements();) { + // put old config store parameters first. + for (Enumeration oldkeys = oldStore.keys(); + oldkeys.hasMoreElements();) { String k = (String) oldkeys.nextElement(); String v = (String) oldStore.getString(k); @@ -920,15 +945,15 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } // put modified params. - for (Enumeration newkeys = ht.keys(); newkeys.hasMoreElements();) { + for (Enumeration newkeys = ht.keys(); + newkeys.hasMoreElements();) { String k = (String) newkeys.nextElement(); String v = (String) ht.get(k); Debug.trace("newstore key " + k + "=" + v); if (v != null) { - if (!k.equals(Constants.OP_TYPE) - && !k.equals(Constants.OP_SCOPE) - && !k.equals(Constants.RS_ID) && !k.equals("RULENAME")) { + if (!k.equals(Constants.OP_TYPE) && !k.equals(Constants.OP_SCOPE) && + !k.equals(Constants.RS_ID) && !k.equals("RULENAME")) { Debug.trace("newstore.put(" + k + "=" + v + ")"); newStore.put(k, v); } @@ -938,15 +963,19 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // include impl default params in case we missed any. /* - * for (Enumeration keys = ht.keys(); keys.hasMoreElements();) { String - * key = (String)keys.nextElement(); String val = (String)ht.get(key); - * newStore.put(key, val); } + for (Enumeration keys = ht.keys(); keys.hasMoreElements();) + { + String key = (String)keys.nextElement(); + String val = (String)ht.get(key); + newStore.put(key, val); + } */ + // Try to initialize this rule. newRule.init(this, newStore); - - // If we are successfully initialized, replace the rule + + // If we are successfully initialized, replace the rule // instance policyInstance.setRule(newRule); policyInstance.setActive(active); @@ -955,23 +984,24 @@ public class GenericPolicyProcessor implements IPolicyProcessor { if (exp != null) newRule.setPredicate(exp); - // Store the changes in the file. + // Store the changes in the file. try { for (Enumeration e = newStore.keys(); e.hasMoreElements();) { String key = (String) e.nextElement(); if (key != null) { - Debug.trace("oldstore.put(" + key + "," - + (String) newStore.getString(key) + ")"); + Debug.trace( + "oldstore.put(" + key + "," + + (String) newStore.getString(key) + ")"); oldStore.put(key, (String) newStore.getString(key)); } } mGlobalStore.commit(true); } catch (Exception e) { - String[] params = { "instance", id }; + String[] params = {"instance", id}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_ADDING_POLICY_ERROR", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_ADDING_POLICY_ERROR", params)); } // If rule is disabled, we need to remove it from the @@ -1002,8 +1032,9 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } } - public synchronized void changePolicyInstanceOrdering(String policyOrderStr) - throws EBaseException { + public synchronized void changePolicyInstanceOrdering( + String policyOrderStr) + throws EBaseException { Vector policyOrder = new Vector(); StringTokenizer tokens = new StringTokenizer(policyOrderStr, ","); @@ -1013,8 +1044,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // Check if we have that instance configured. if (!mInstanceTable.containsKey(instanceId)) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_INSTANCE", instanceId)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_INSTANCE", instanceId)); policyOrder.addElement(instanceId); } @@ -1034,12 +1065,12 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // add system default rules first. try { for (int i = 0; i < mSystemDefaults.length; i++) { - String defRuleName = mSystemDefaults[i] - .substring(mSystemDefaults[i].lastIndexOf('.') + 1); - IPolicyRule defRule = (IPolicyRule) Class.forName( - mSystemDefaults[i]).newInstance(); - IConfigStore ruleConfig = mConfig.getSubStore(PROP_DEF_POLICIES - + "." + defRuleName); + String defRuleName = mSystemDefaults[i].substring( + mSystemDefaults[i].lastIndexOf('.') + 1); + IPolicyRule defRule = (IPolicyRule) + Class.forName(mSystemDefaults[i]).newInstance(); + IConfigStore ruleConfig = + mConfig.getSubStore(PROP_DEF_POLICIES + "." + defRuleName); defRule.init(this, ruleConfig); if (defRule instanceof IEnrollmentPolicy) @@ -1056,28 +1087,25 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } } catch (Throwable e) { Debug.printStackTrace(e); - EBaseException ex = new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", - "Cannot create default policy rule. Error: " - + e.getMessage())); + EBaseException ex = new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "Cannot create default policy rule. Error: " + e.getMessage())); - mAuthority.log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSCORE_POLICY_DEF_CREATE", e.toString())); + mAuthority.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_POLICY_DEF_CREATE", e.toString())); throw ex; } // add rules specified in the new order. - for (Enumeration enum1 = policyOrder.elements(); enum1 - .hasMoreElements();) { + for (Enumeration enum1 = policyOrder.elements(); + enum1.hasMoreElements();) { String instanceName = (String) enum1.nextElement(); - PolicyInstance pInstance = (PolicyInstance) mInstanceTable - .get(instanceName); - + PolicyInstance pInstance = (PolicyInstance) + mInstanceTable.get(instanceName); + if (!pInstance.isActive()) continue; - // Add the rule to the policy set according to category if a - // rule is enabled. + // Add the rule to the policy set according to category if a + // rule is enabled. IPolicyRule rule = pInstance.getRule(); if (rule instanceof IEnrollmentPolicy) @@ -1101,8 +1129,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { mPolicyOrder = policyOrder; // Now change the ordering in the config file. - IConfigStore policyStore = mGlobalStore - .getSubStore(getPolicySubstoreId()); + IConfigStore policyStore = + mGlobalStore.getSubStore(getPolicySubstoreId()); policyStore.put(PROP_ORDER, policyOrderStr); @@ -1111,8 +1139,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { mGlobalStore.commit(true); } catch (Exception ex) { Debug.printStackTrace(ex); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_ORDER_ERROR", policyOrderStr)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_ORDER_ERROR", policyOrderStr)); } } @@ -1150,37 +1178,38 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } /** - * Initializes the default system policies. Currently there is only one - * policy - ManualAuthentication. More may be added later on. + * Initializes the default system policies. Currently there is only + * one policy - ManualAuthentication. More may be added later on. + * + * The default policies may be disabled - for example to over-ride + * agent approval for testing the system by setting the following + * property in the config file: * - * The default policies may be disabled - for example to over-ride agent - * approval for testing the system by setting the following property in the - * config file: + * <subsystemId>.Policy.systemPolicies.enable=false * - * <subsystemId>.Policy.systemPolicies.enable=false + * By default the value for this property is true. + * + * Users can over-ride the default system policies by listing their + * 'custom' system policies under the following property: * - * By default the value for this property is true. - * - * Users can over-ride the default system policies by listing their 'custom' - * system policies under the following property: - * - * <subsystemId>.Policy.systemPolicies=<system policy1 class path>, <system - * policy2 class path> - * - * There can only be one instance of the system policy in the system and - * will apply to all requests, and hence predicates are not used for a - * system policy. Due to the same reason, these properties are not - * configurable using the Console. + * <subsystemId>.Policy.systemPolicies=<system policy1 class path>, + * <system policy2 class path> + * + * There can only be one instance of the system policy in the system + * and will apply to all requests, and hence predicates are not used + * for a system policy. Due to the same reason, these properties are + * not configurable using the Console. * * A System policy may read config properties from a subtree under * <subsystemId>.Policy.systemPolicies.<ClassName>. An example is * ra.Policy.systemPolicies.ManualAuthentication.param1=value */ - private void initSystemPolicies(IConfigStore mConfig) throws EBaseException { + private void initSystemPolicies(IConfigStore mConfig) + throws EBaseException { // If system policies are disabled, return. No Deferral of // requests may be done. - String enable = mConfig.getString( - PROP_DEF_POLICIES + "." + PROP_ENABLE, "true").trim(); + String enable = mConfig.getString(PROP_DEF_POLICIES + "." + + PROP_ENABLE, "true").trim(); if (enable.equalsIgnoreCase("false")) { mSystemDefaults = DEF_POLICIES; @@ -1188,16 +1217,17 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } // Load default policies that are always present. - String configuredDefaults = mConfig.getString(PROP_DEF_POLICIES, null); + String configuredDefaults = mConfig.getString(PROP_DEF_POLICIES, + null); - if (configuredDefaults == null - || configuredDefaults.trim().length() == 0) + if (configuredDefaults == null || + configuredDefaults.trim().length() == 0) mSystemDefaults = DEF_POLICIES; else { Vector rules = new Vector(); - StringTokenizer tokenizer = new StringTokenizer( - configuredDefaults.trim(), ","); - + StringTokenizer tokenizer = new + StringTokenizer(configuredDefaults.trim(), ","); + while (tokenizer.hasMoreTokens()) { String rule = tokenizer.nextToken().trim(); @@ -1206,11 +1236,11 @@ public class GenericPolicyProcessor implements IPolicyProcessor { if (rules.size() > 0) { mSystemDefaults = new String[rules.size()]; rules.copyInto(mSystemDefaults); - } else + } else mSystemDefaults = DEF_POLICIES; } - - // Now Initialize the rules. These defaults have only one + + // Now Initialize the rules. These defaults have only one // instance and the rule name is the name of the class itself. // Any configuration parameters required could be read from // <subsystemId>.Policy.default.RuleName. @@ -1223,131 +1253,134 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { Object o = Class.forName(mSystemDefaults[i]).newInstance(); - if (!(o instanceof IEnrollmentPolicy) - && !(o instanceof IRenewalPolicy) - && !(o instanceof IRevocationPolicy) - && !(o instanceof IKeyRecoveryPolicy) - && !(o instanceof IKeyArchivalPolicy)) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_INVALID_POLICY_IMPL", - mSystemDefaults[i])); - + if (!(o instanceof IEnrollmentPolicy) && + !(o instanceof IRenewalPolicy) && + !(o instanceof IRevocationPolicy) && + !(o instanceof IKeyRecoveryPolicy) && + !(o instanceof IKeyArchivalPolicy)) + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_IMPL", + mSystemDefaults[i])); + IPolicyRule rule = (IPolicyRule) o; - + // Initialize the rule. - ruleName = mSystemDefaults[i].substring(mSystemDefaults[i] - .lastIndexOf('.') + 1); - IConfigStore ruleConfig = mConfig.getSubStore(PROP_DEF_POLICIES - + "." + ruleName); + ruleName = mSystemDefaults[i].substring( + mSystemDefaults[i].lastIndexOf('.') + 1); + IConfigStore ruleConfig = mConfig.getSubStore( + PROP_DEF_POLICIES + "." + ruleName); rule.init(this, ruleConfig); - + // Add the rule to the appropriate PolicySet. addRule(ruleName, rule); } catch (EBaseException e) { throw e; } catch (Exception e) { Debug.printStackTrace(e); - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_NO_POLICY_IMPL", ruleName)); + throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_NO_POLICY_IMPL", + ruleName)); } } } /** - * Read list of undeletable policies if any configured in the system. - * - * These are required to protect the system from being misconfigured to the - * point that the requests wouldn't serialize or certain fields in the - * certificate(s) being checked will go unchecked ..etc. - * - * For now the following policies are undeletable: - * - * DirAuthRule: This is a default DirectoryAuthentication policy for user - * certificates that interprets directory credentials. The presence of this - * policy is needed if the OOTB DirectoryAuthentication-based automatic - * certificate issuance is supported. - * - * DefaultUserNameRule: This policy verifies/sets subjectDn for user - * certificates. - * - * DefaultServerNameRule: This policy verifies/sets subjectDn for server - * certificates. - * - * DefaultValidityRule: Verifies/sets validty for all certificates. - * - * DefaultRenewalValidityRule: Verifies/sets validity for certs being - * renewed. - * - * The 'undeletables' cannot be deleted from the config file, nor can the be - * disabled. If any predicates are associated with them the predicates can't - * be changed either. But, other config parameters such as maxValidity, - * renewalInterval ..etc can be changed to suit local policy requirements. - * - * During start up the policy processor will verify if the undeletables are - * present, and that they are enabled and that their predicates are not - * changed. - * - * The rules mentioned above are currently hard coded. If these need to read - * from the config file, the 'undeletables' can be configured as as follows: - * - * <subsystemId>.Policy.undeletablePolicies=<comma separated rule names> - * Example: ra.Policy.undeletablePolicies=DirAuthRule, DefaultUserNameRule, - * DefaultServerNameRule, DefaultValidityRule, DefaultRenewalValidityRule - * - * The predicates if any associated with them may be configured as follows: - * <subsystemId>.Policy.undeletablePolicies.DirAuthRule.predicate= certType - * == client. - * - * where subsystemId is ra or ca. - * + * Read list of undeletable policies if any configured in the + * system. + * + * These are required to protect the system from being misconfigured + * to the point that the requests wouldn't serialize or certain + * fields in the certificate(s) being checked will go unchecked + * ..etc. + * + * For now the following policies are undeletable: + * + * DirAuthRule: This is a default DirectoryAuthentication policy + * for user certificates that interprets directory + * credentials. The presence of this policy is needed + * if the OOTB DirectoryAuthentication-based automatic + * certificate issuance is supported. + * + * DefaultUserNameRule: This policy verifies/sets subjectDn for user + * certificates. + * + * DefaultServerNameRule: This policy verifies/sets subjectDn for + * server certificates. + * + * DefaultValidityRule: Verifies/sets validty for all certificates. + * + * DefaultRenewalValidityRule: Verifies/sets validity for certs being + * renewed. + * + * The 'undeletables' cannot be deleted from the config file, nor + * can the be disabled. If any predicates are associated with them + * the predicates can't be changed either. But, other config parameters + * such as maxValidity, renewalInterval ..etc can be changed to suit + * local policy requirements. + * + * During start up the policy processor will verify if the undeletables + * are present, and that they are enabled and that their predicates are + * not changed. + * + * The rules mentioned above are currently hard coded. If these need to + * read from the config file, the 'undeletables' can be configured as + * as follows: + * + * <subsystemId>.Policy.undeletablePolicies=<comma separated rule names> + * Example: + * ra.Policy.undeletablePolicies=DirAuthRule, DefaultUserNameRule, DefaultServerNameRule, DefaultValidityRule, DefaultRenewalValidityRule + * + * The predicates if any associated with them may be configured as + * follows: + * <subsystemId>.Policy.undeletablePolicies.DirAuthRule.predicate= certType == client. + * + * where subsystemId is ra or ca. + * * If the undeletables are configured in the file,the configured entries - * take precedence over the hardcoded ones in this file. If you are - * configuring them in the file, please remember to configure the predicates - * if applicable. - * - * During policy configuration from MCC, the policy processor will not let - * you delete an 'undeletable', nor will it let you disable it. You will not - * be able to change the predicate either. Other parameters can be - * configured as needed. - * - * If a particular rule needs to be removed from the 'undeletables', either - * remove it from the hard coded list above, or configure the rules required - * rules only via the config file. The former needs recompilation of the - * source. The later is flexible to be able to make any rule an - * 'undeletable' or nor an 'undeletable'. - * - * Example: We want to use only manual forms for enrollment. We do n't need - * to burn in DirAuthRule. We need to configure all other rules except the - * DirAuthRule as follows: - * - * ra.Policy.undeletablePolicies = DefaultUserNameRule, - * DefaultServerNameRule, DefaultValidityRule, DefaultRenewalValidityRule - * + * take precedence over the hardcoded ones in this file. If you are + * configuring them in the file, please remember to configure the + * predicates if applicable. + * + * During policy configuration from MCC, the policy processor will not + * let you delete an 'undeletable', nor will it let you disable it. + * You will not be able to change the predicate either. Other parameters + * can be configured as needed. + * + * If a particular rule needs to be removed from the 'undeletables', + * either remove it from the hard coded list above, or configure the + * rules required rules only via the config file. The former needs + * recompilation of the source. The later is flexible to be able to + * make any rule an 'undeletable' or nor an 'undeletable'. + * + * Example: We want to use only manual forms for enrollment. + * We do n't need to burn in DirAuthRule. We need to configure all + * other rules except the DirAuthRule as follows: + * + * ra.Policy.undeletablePolicies = DefaultUserNameRule, DefaultServerNameRule, DefaultValidityRule, DefaultRenewalValidityRule + * * The following predicates are necessary: - * - * ra.Policy.undeletablePolicies.DefaultUserNameRule.predicate = certType == - * client ra.Policy.undeletablePolicies.DefaultServerNameRule.predicate = - * certType == server - * - * The other two rules do not have any predicates. + * + * ra.Policy.undeletablePolicies.DefaultUserNameRule.predicate = certType == client + * ra.Policy.undeletablePolicies.DefaultServerNameRule.predicate = certType == server + * + * The other two rules do not have any predicates. */ private void initUndeletablePolicies(IConfigStore mConfig) - throws EBaseException { + throws EBaseException { // Read undeletable policies if any configured. - String configuredUndeletables = mConfig.getString( - PROP_UNDELETABLE_POLICIES, null); + String configuredUndeletables = + mConfig.getString(PROP_UNDELETABLE_POLICIES, null); - if (configuredUndeletables == null - || configuredUndeletables.trim().length() == 0) { + if (configuredUndeletables == null || + configuredUndeletables.trim().length() == 0) { mUndeletablePolicies = DEF_UNDELETABLE_POLICIES; return; } Vector rules = new Vector(); - StringTokenizer tokenizer = new StringTokenizer( - configuredUndeletables.trim(), ","); - + StringTokenizer tokenizer = new + StringTokenizer(configuredUndeletables.trim(), ","); + while (tokenizer.hasMoreTokens()) { String rule = tokenizer.nextToken().trim(); @@ -1359,18 +1392,18 @@ public class GenericPolicyProcessor implements IPolicyProcessor { return; } - // For each rule read from the config file, see if any + // For each rule read from the config file, see if any // predicate is set. mUndeletablePolicies = new Hashtable(); for (Enumeration e = rules.elements(); e.hasMoreElements();) { String urn = (String) e.nextElement(); - + // See if there is predicate in the file - String pred = mConfig.getString(PROP_UNDELETABLE_POLICIES + "." - + urn + "." + PROP_PREDICATE, null); - + String pred = mConfig.getString(PROP_UNDELETABLE_POLICIES + + "." + urn + "." + PROP_PREDICATE, null); + IExpression exp = SimpleExpression.NULL_EXPRESSION; - + if (pred != null) exp = PolicyPredicateParser.parse(pred); mUndeletablePolicies.put(urn, exp); @@ -1404,27 +1437,30 @@ public class GenericPolicyProcessor implements IPolicyProcessor { return ret; } - private void verifyDefaultPolicyConfig() throws EPolicyException { + private void verifyDefaultPolicyConfig() + throws EPolicyException { // For each policy in undeletable list make sure that // the policy is present, is not disabled and its predicate // is not tampered with. - for (Enumeration e = mUndeletablePolicies.keys(); e.hasMoreElements();) { + for (Enumeration e = mUndeletablePolicies.keys(); + e.hasMoreElements();) { String urn = (String) e.nextElement(); // See if the rule is in the instance table. PolicyInstance inst = (PolicyInstance) mInstanceTable.get(urn); if (inst == null) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_MISSING_PERSISTENT_RULE", urn)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_MISSING_PERSISTENT_RULE", urn)); - // See if the instance is disabled. + // See if the instance is disabled. if (!inst.isActive()) - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_PERSISTENT_RULE_INACTIVE", urn)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_INACTIVE", urn)); - // See if the predicated is misconfigured. - IExpression defPred = (IExpression) mUndeletablePolicies.get(urn); + // See if the predicated is misconfigured. + IExpression defPred = (IExpression) + mUndeletablePolicies.get(urn); // We used SimpleExpression.NULL_EXPRESSION to indicate a null. if (defPred == SimpleExpression.NULL_EXPRESSION) @@ -1432,59 +1468,61 @@ public class GenericPolicyProcessor implements IPolicyProcessor { IExpression confPred = inst.getRule().getPredicate(); if (defPred == null && confPred != null) { - String[] params = { urn, "null", confPred.toString() }; + String[] params = {urn, "null", confPred.toString()}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } else if (defPred != null && confPred == null) { - String[] params = { urn, defPred.toString(), "null" }; + String[] params = {urn, defPred.toString(), "null"}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } else if (defPred != null && confPred != null) { if (!defPred.toString().equals(confPred.toString())) { - String[] params = { urn, defPred.toString(), - confPred.toString() }; + String[] params = {urn, defPred.toString(), + confPred.toString()}; - throw new EPolicyException(CMS.getUserMessage( - "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException( + CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } } } } } + /** * Class to keep track of various configurable implementations. */ class RegisteredPolicy { String mId; String mClPath; - - public RegisteredPolicy(String id, String clPath) { + public RegisteredPolicy (String id, String clPath) { if (id == null || clPath == null) - throw new AssertionException("Policy id or classpath can't be null"); + throw new + AssertionException("Policy id or classpath can't be null"); mId = id; mClPath = clPath; } - + public String getClassPath() { return mClPath; } - + public String getId() { return mId; } } + class PolicyInstance { String mInstanceId; String mImplId; IPolicyRule mRule; boolean mIsEnabled; - public PolicyInstance(String instanceId, String implId, IPolicyRule rule, - boolean isEnabled) { + public PolicyInstance(String instanceId, String implId, + IPolicyRule rule, boolean isEnabled) { mInstanceId = instanceId; mImplId = implId; mRule = rule; @@ -1520,8 +1558,9 @@ class PolicyInstance { public void setActive(boolean stat) { mIsEnabled = stat; } - + public void setRule(IPolicyRule newRule) { mRule = newRule; } -} +} + |