diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java | 885 |
1 files changed, 423 insertions, 462 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java b/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java index 95d66828..151fef18 100644 --- a/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java +++ b/pki/base/common/src/com/netscape/cmscore/policy/GenericPolicyProcessor.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmscore.policy; - import java.util.Enumeration; import java.util.Hashtable; import java.util.StringTokenizer; @@ -48,20 +47,17 @@ import com.netscape.cmscore.request.ARequestQueue; import com.netscape.cmscore.util.AssertionException; import com.netscape.cmscore.util.Debug; - /** - * This is a Generic policy processor. The three main functions of - * this class are: - * 1. To initialize policies by reading policy configuration from the - * config file, and maintain 5 sets of policies - viz Enrollment, - * Renewal, Revocation and KeyRecovery and KeyArchival. - * 2. To apply the configured policies on the given request. - * 3. To enable policy listing/configuration via MCC console. - * - * Since the policy processor also implements the IPolicy interface - * the processor itself presents itself as one big policy to the - * request processor. - * + * This is a Generic policy processor. The three main functions of this class + * are: 1. To initialize policies by reading policy configuration from the + * config file, and maintain 5 sets of policies - viz Enrollment, Renewal, + * Revocation and KeyRecovery and KeyArchival. 2. To apply the configured + * policies on the given request. 3. To enable policy listing/configuration via + * MCC console. + * + * Since the policy processor also implements the IPolicy interface the + * processor itself presents itself as one big policy to the request processor. + * * @author kanda * @version $Revision$, $Date$ */ @@ -71,12 +67,10 @@ public class GenericPolicyProcessor implements IPolicyProcessor { protected IAuthority mAuthority = null; // Default System Policies - public final static String[] DEF_POLICIES = - {"com.netscape.cms.policy.constraints.ManualAuthentication"}; + public final static String[] DEF_POLICIES = { "com.netscape.cms.policy.constraints.ManualAuthentication" }; // Policies that can't be deleted nor disabled. - public final static Hashtable DEF_UNDELETABLE_POLICIES = - new Hashtable(); + public final static Hashtable DEF_UNDELETABLE_POLICIES = new Hashtable(); private String mId = "Policy"; private Vector mPolicyOrder = new Vector(); @@ -125,9 +119,9 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } /** - * Returns the configuration store. + * Returns the configuration store. * <P> - * + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -137,24 +131,24 @@ public class GenericPolicyProcessor implements IPolicyProcessor { /** * Initializes the PolicyProcessor * <P> - * + * * @param owner owner of this subsystem * @param config configuration of this subsystem * @exception EBaseException failed to initialize this Subsystem. */ public synchronized void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { // Debug.trace("GenericPolicyProcessor::init"); CMS.debug("GenericPolicyProcessor::init begins"); mAuthority = (IAuthority) owner; mConfig = config; - mGlobalStore = - SubsystemRegistry.getInstance().get("MAIN").getConfigStore(); + mGlobalStore = SubsystemRegistry.getInstance().get("MAIN") + .getConfigStore(); try { IConfigStore configStore = CMS.getConfigStore(); - String PKI_Subsystem = configStore.getString( "subsystem.0.id", - null ); + String PKI_Subsystem = configStore + .getString("subsystem.0.id", null); // CMS 6.1 began utilizing the "Certificate Profiles" framework // instead of the legacy "Certificate Policies" framework. @@ -164,34 +158,31 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // that this legacy "Certificate Policies" framework would be // deprecated and disabled by default (see Bugzilla Bug #472597). // - // NOTE: The "Certificate Policies" framework ONLY applied to - // to CA, KRA, and legacy RA (pre-CMS 7.0) subsystems. + // NOTE: The "Certificate Policies" framework ONLY applied to + // to CA, KRA, and legacy RA (pre-CMS 7.0) subsystems. // - if( PKI_Subsystem.trim().equalsIgnoreCase( "ca" ) || - PKI_Subsystem.trim().equalsIgnoreCase( "kra" ) ) { - String policyStatus = PKI_Subsystem.trim().toLowerCase() - + "." + "Policy" - + "." + IPolicyProcessor.PROP_ENABLE; - - if( configStore.getBoolean( policyStatus, true ) == true ) { - // NOTE: If "<subsystem>.Policy.enable=<boolean>" is - // missing, then the referenced instance existed - // prior to this name=value pair existing in its - // 'CS.cfg' file, and thus we err on the - // side that the user may still need to - // use the policy framework. - CMS.debug( "GenericPolicyProcessor::init Certificate " - + "Policy Framework (deprecated) " - + "is ENABLED" ); + if (PKI_Subsystem.trim().equalsIgnoreCase("ca") + || PKI_Subsystem.trim().equalsIgnoreCase("kra")) { + String policyStatus = PKI_Subsystem.trim().toLowerCase() + "." + + "Policy" + "." + IPolicyProcessor.PROP_ENABLE; + + if (configStore.getBoolean(policyStatus, true) == true) { + // NOTE: If "<subsystem>.Policy.enable=<boolean>" is + // missing, then the referenced instance existed + // prior to this name=value pair existing in its + // 'CS.cfg' file, and thus we err on the + // side that the user may still need to + // use the policy framework. + CMS.debug("GenericPolicyProcessor::init Certificate " + + "Policy Framework (deprecated) " + "is ENABLED"); } else { - // CS 8.1 Default: <subsystem>.Policy.enable=false - CMS.debug( "GenericPolicyProcessor::init Certificate " - + "Policy Framework (deprecated) " - + "is DISABLED" ); + // CS 8.1 Default: <subsystem>.Policy.enable=false + CMS.debug("GenericPolicyProcessor::init Certificate " + + "Policy Framework (deprecated) " + "is DISABLED"); return; } } - } catch( EBaseException e ) { + } catch (EBaseException e) { throw e; } @@ -215,39 +206,38 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // The implementation id should be unique if (mImplTable.containsKey(id)) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_DUPLICATE_IMPL_ID", id)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_DUPLICATE_IMPL_ID", id)); String clPath = c.getString(id + "." + PROP_CLASS); // We should n't let the CatchAll policies to be configurable. if (isSystemDefaultPolicy(clPath)) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_SYSTEM_POLICY_CONFIG_ERROR", clPath)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_SYSTEM_POLICY_CONFIG_ERROR", clPath)); - // Verify if the class is a valid implementation of - // IPolicyRule + // Verify if the class is a valid implementation of + // IPolicyRule try { Object o = Class.forName(clPath).newInstance(); - if (!(o instanceof IEnrollmentPolicy) && - !(o instanceof IRenewalPolicy) && - !(o instanceof IRevocationPolicy) && - !(o instanceof IKeyRecoveryPolicy) && - !(o instanceof IKeyArchivalPolicy)) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_IMPL", clPath)); + if (!(o instanceof IEnrollmentPolicy) + && !(o instanceof IRenewalPolicy) + && !(o instanceof IRevocationPolicy) + && !(o instanceof IKeyRecoveryPolicy) + && !(o instanceof IKeyArchivalPolicy)) + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_INVALID_POLICY_IMPL", clPath)); } catch (EBaseException e) { throw e; } catch (Exception e) { Debug.printStackTrace(e); - throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_NO_POLICY_IMPL", - id)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_NO_POLICY_IMPL", id)); } // Register the implementation. - RegisteredPolicy regPolicy = - new RegisteredPolicy(id, clPath); + RegisteredPolicy regPolicy = new RegisteredPolicy(id, clPath); mImplTable.put(id, regPolicy); } @@ -275,13 +265,13 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // The instance id should be unique if (mInstanceTable.containsKey(instanceName)) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_DUPLICATE_INST_ID", instanceName)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_DUPLICATE_INST_ID", instanceName)); c = ruleStore.getSubStore(instanceName); if (c == null || c.size() == 0) - throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_NO_POLICY_CONFIG", - instanceName)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_NO_POLICY_CONFIG", instanceName)); IPolicyRule rule = null; String implName; boolean enabled; @@ -290,40 +280,41 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // If the policy rule is not enabled, skip it. String enabledStr = c.getString(PROP_ENABLE, null); - if (enabledStr == null || enabledStr.trim().length() == 0 || - enabledStr.trim().equalsIgnoreCase("true")) + if (enabledStr == null || enabledStr.trim().length() == 0 + || enabledStr.trim().equalsIgnoreCase("true")) enabled = true; else enabled = false; implName = c.getString(PROP_IMPL_NAME, null); if (implName == null) { - throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_NO_POLICY_CONFIG", - instanceName)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_NO_POLICY_CONFIG", instanceName)); } // Make an instance of the specified policy. - RegisteredPolicy regPolicy = - (RegisteredPolicy) mImplTable.get(implName); + RegisteredPolicy regPolicy = (RegisteredPolicy) mImplTable + .get(implName); if (regPolicy == null) { - String[] params = {implName, instanceName}; + String[] params = { implName, instanceName }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_IMPL_NOT_FOUND", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_IMPL_NOT_FOUND", params)); } - + String classpath = regPolicy.getClassPath(); try { - rule = (IPolicyRule) - Class.forName(classpath).newInstance(); + rule = (IPolicyRule) Class.forName(classpath).newInstance(); if (rule instanceof IPolicyRule) ((IPolicyRule) rule).setInstanceName(instanceName); rule.init(this, c); } catch (Throwable e) { - mAuthority.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_POLICY_INIT_FAILED", instanceName, e.toString())); - // disable rule initialized if there is + mAuthority.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_POLICY_INIT_FAILED", instanceName, + e.toString())); + // disable rule initialized if there is // configuration error enabled = false; c.putString(PROP_ENABLE, "false"); @@ -332,9 +323,10 @@ public class GenericPolicyProcessor implements IPolicyProcessor { if (rule == null) continue; - // Read the predicate expression if any associated - // with the rule - String exp = c.getString(GenericPolicyProcessor.PROP_PREDICATE, null); + // Read the predicate expression if any associated + // with the rule + String exp = c.getString(GenericPolicyProcessor.PROP_PREDICATE, + null); if (exp != null) exp = exp.trim(); @@ -344,14 +336,14 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } // Add the rule to the instance table - mInstanceTable.put(instanceName, - new PolicyInstance(instanceName, implName, rule, enabled)); + mInstanceTable.put(instanceName, new PolicyInstance(instanceName, + implName, rule, enabled)); if (!enabled) continue; - // Add the rule to the policy set according to category if a - // rule is enabled. + // Add the rule to the policy set according to category if a + // rule is enabled. addRule(instanceName, rule); } @@ -372,8 +364,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { /** * Apply policies on the given request. - * - * @param IRequest The given request + * + * @param IRequest The given request * @return The policy result object. */ public PolicyResult apply(IRequest req) { @@ -383,18 +375,19 @@ public class GenericPolicyProcessor implements IPolicyProcessor { CMS.debug("GenericPolicyProcessor: apply begins"); if (op == null) { CMS.debug("GenericPolicyProcessor: apply op null"); - // throw new AssertionException("Missing operation type in request. Can't happen!"); - // Return ACCEPTED for now. Looks like even get CA chain - // is being passed in here with request type set elsewhere - // on the request. + // throw new + // AssertionException("Missing operation type in request. Can't happen!"); + // Return ACCEPTED for now. Looks like even get CA chain + // is being passed in here with request type set elsewhere + // on the request. return PolicyResult.ACCEPTED; } if (isProfileRequest(req)) { - Debug.trace("GenericPolicyProcessor: Profile-base Request " + - req.getRequestId().toString()); + Debug.trace("GenericPolicyProcessor: Profile-base Request " + + req.getRequestId().toString()); return PolicyResult.ACCEPTED; } - CMS.debug("GenericPolicyProcessor: apply not ProfileRequest. op="+op); + CMS.debug("GenericPolicyProcessor: apply not ProfileRequest. op=" + op); if (op.equalsIgnoreCase(IRequest.ENROLLMENT_REQUEST)) rules = mEnrollmentRules; @@ -409,7 +402,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { else { // It aint' a CMP request. We don't care. return PolicyResult.ACCEPTED; - // throw new AssertionException("Invalid request type. Can't Happen!"); + // throw new + // AssertionException("Invalid request type. Can't Happen!"); } // ((PolicySet)rules).printPolicies(); @@ -421,11 +415,11 @@ public class GenericPolicyProcessor implements IPolicyProcessor { return PolicyResult.ACCEPTED; /** - setError(req, PolicyResources.NO_RULES_CONFIGURED, op); - return PolicyResult.REJECTED; + * setError(req, PolicyResources.NO_RULES_CONFIGURED, op); return + * PolicyResult.REJECTED; **/ } - CMS.debug("GenericPolicyProcessor: apply: rules.count="+ rules.count()); + CMS.debug("GenericPolicyProcessor: apply: rules.count=" + rules.count()); // request must be up to date or can't process it. PolicyResult res = PolicyResult.ACCEPTED; @@ -478,12 +472,12 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { while (enum1.hasMoreElements()) { - RegisteredPolicy regPolicy = - (RegisteredPolicy) enum1.nextElement(); + RegisteredPolicy regPolicy = (RegisteredPolicy) enum1 + .nextElement(); // Make an Instance of it - IPolicyRule ruleImpl = (IPolicyRule) - Class.forName(regPolicy.getClassPath()).newInstance(); + IPolicyRule ruleImpl = (IPolicyRule) Class.forName( + regPolicy.getClassPath()).newInstance(); impls.addElement(ruleImpl); } @@ -501,8 +495,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { while (enum1.hasMoreElements()) { - RegisteredPolicy regPolicy = - (RegisteredPolicy) enum1.nextElement(); + RegisteredPolicy regPolicy = (RegisteredPolicy) enum1 + .nextElement(); impls.addElement(regPolicy.getId()); @@ -515,16 +509,15 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } public IPolicyRule getPolicyImpl(String id) { - RegisteredPolicy regImpl = (RegisteredPolicy) - mImplTable.get(id); + RegisteredPolicy regImpl = (RegisteredPolicy) mImplTable.get(id); if (regImpl == null) return null; IPolicyRule impl = null; try { - impl = - (IPolicyRule) Class.forName(regImpl.getClassPath()).newInstance(); + impl = (IPolicyRule) Class.forName(regImpl.getClassPath()) + .newInstance(); } catch (Exception e) { Debug.printStackTrace(e); } @@ -545,17 +538,15 @@ public class GenericPolicyProcessor implements IPolicyProcessor { return v; } - public void deletePolicyImpl(String id) - throws EBaseException { + public void deletePolicyImpl(String id) throws EBaseException { // First check if the id is valid; - RegisteredPolicy regPolicy = - (RegisteredPolicy) mImplTable.get(id); + RegisteredPolicy regPolicy = (RegisteredPolicy) mImplTable.get(id); if (regPolicy == null) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_NO_POLICY_IMPL", id)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_NO_POLICY_IMPL", id)); - // If any instance exists for this impl, can't delete it. + // If any instance exists for this impl, can't delete it. boolean instanceExist = false; Enumeration e = mInstanceTable.elements(); @@ -568,15 +559,14 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } } if (instanceExist) // we found an instance - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_ACTIVE_POLICY_RULES_EXIST", id)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_ACTIVE_POLICY_RULES_EXIST", id)); - // Else delete the implementation + // Else delete the implementation mImplTable.remove(id); - IConfigStore policyStore = - mGlobalStore.getSubStore(getPolicySubstoreId()); - IConfigStore implStore = - policyStore.getSubStore(PROP_IMPL); + IConfigStore policyStore = mGlobalStore + .getSubStore(getPolicySubstoreId()); + IConfigStore implStore = policyStore.getSubStore(PROP_IMPL); implStore.removeSubStore(id); @@ -585,60 +575,58 @@ public class GenericPolicyProcessor implements IPolicyProcessor { mGlobalStore.commit(true); } catch (Exception ex) { Debug.printStackTrace(ex); - String[] params = {"implementation", id}; + String[] params = { "implementation", id }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_DELETING_POLICY_ERROR", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_DELETING_POLICY_ERROR", params)); } } public void addPolicyImpl(String id, String classPath) - throws EBaseException { + throws EBaseException { // See if the id is unique if (mImplTable.containsKey(id)) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_DUPLICATE_IMPL_ID", id)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_DUPLICATE_IMPL_ID", id)); - // See if the classPath is ok + // See if the classPath is ok Object impl = null; try { impl = Class.forName(classPath).newInstance(); - }catch (Exception e) { - throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_NO_POLICY_IMPL", - id)); + } catch (Exception e) { + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_NO_POLICY_IMPL", id)); } // Does the class implement one of the four interfaces? - if (!(impl instanceof IEnrollmentPolicy) && - !(impl instanceof IRenewalPolicy) && - !(impl instanceof IRevocationPolicy) && - !(impl instanceof IKeyRecoveryPolicy) && - !(impl instanceof IKeyArchivalPolicy)) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_IMPL", classPath)); - - // Add the implementation to the registry - RegisteredPolicy regPolicy = - new RegisteredPolicy(id, classPath); + if (!(impl instanceof IEnrollmentPolicy) + && !(impl instanceof IRenewalPolicy) + && !(impl instanceof IRevocationPolicy) + && !(impl instanceof IKeyRecoveryPolicy) + && !(impl instanceof IKeyArchivalPolicy)) + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_INVALID_POLICY_IMPL", classPath)); + + // Add the implementation to the registry + RegisteredPolicy regPolicy = new RegisteredPolicy(id, classPath); mImplTable.put(id, regPolicy); // Store the impl in the configuration. - IConfigStore policyStore = - mGlobalStore.getSubStore(getPolicySubstoreId()); - IConfigStore implStore = - policyStore.getSubStore(PROP_IMPL); + IConfigStore policyStore = mGlobalStore + .getSubStore(getPolicySubstoreId()); + IConfigStore implStore = policyStore.getSubStore(PROP_IMPL); IConfigStore newStore = implStore.makeSubStore(id); newStore.put(PROP_CLASS, classPath); try { mGlobalStore.commit(true); } catch (Exception e) { - String[] params = {"implementation", id}; + String[] params = { "implementation", id }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_ADDING_POLICY_ERROR", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_ADDING_POLICY_ERROR", params)); } } @@ -649,8 +637,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { while (enum1.hasMoreElements()) { - PolicyInstance instance = - (PolicyInstance) mInstanceTable.get((String) enum1.nextElement()); + PolicyInstance instance = (PolicyInstance) mInstanceTable + .get((String) enum1.nextElement()); rules.addElement(instance.getRule()); @@ -670,8 +658,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { while (enum1.hasMoreElements()) { String ruleName = (String) enum1.nextElement(); - PolicyInstance instance = - (PolicyInstance) mInstanceTable.get(ruleName); + PolicyInstance instance = (PolicyInstance) mInstanceTable + .get(ruleName); rules.addElement(instance.getRuleInfo()); } @@ -683,15 +671,13 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } public IPolicyRule getPolicyInstance(String id) { - PolicyInstance policyInstance = (PolicyInstance) - mInstanceTable.get(id); + PolicyInstance policyInstance = (PolicyInstance) mInstanceTable.get(id); return (policyInstance == null) ? null : policyInstance.getRule(); } public Vector getPolicyInstanceConfig(String id) { - PolicyInstance policyInstance = (PolicyInstance) - mInstanceTable.get(id); + PolicyInstance policyInstance = (PolicyInstance) mInstanceTable.get(id); if (policyInstance == null) return null; @@ -709,25 +695,22 @@ public class GenericPolicyProcessor implements IPolicyProcessor { return v; } - public void deletePolicyInstance(String id) - throws EBaseException { + public void deletePolicyInstance(String id) throws EBaseException { // If the rule is a persistent rule, we can't delete it. if (mUndeletablePolicies.containsKey(id)) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_CANT_DELETE_PERSISTENT_POLICY", id)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_CANT_DELETE_PERSISTENT_POLICY", id)); - // First check if the instance is present. - PolicyInstance instance = - (PolicyInstance) mInstanceTable.get(id); + // First check if the instance is present. + PolicyInstance instance = (PolicyInstance) mInstanceTable.get(id); if (instance == null) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_INSTANCE", id)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_INVALID_POLICY_INSTANCE", id)); - IConfigStore policyStore = - mGlobalStore.getSubStore(getPolicySubstoreId()); - IConfigStore instanceStore = - policyStore.getSubStore(PROP_RULE); + IConfigStore policyStore = mGlobalStore + .getSubStore(getPolicySubstoreId()); + IConfigStore instanceStore = policyStore.getSubStore(PROP_RULE); instanceStore.removeSubStore(id); @@ -747,10 +730,10 @@ public class GenericPolicyProcessor implements IPolicyProcessor { mPolicyOrder.insertElementAt(id, index); Debug.printStackTrace(e); - String[] params = {"instance", id}; + String[] params = { "instance", id }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_DELETING_POLICY_ERROR", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_DELETING_POLICY_ERROR", params)); } IPolicyRule rule = instance.getRule(); @@ -766,31 +749,30 @@ public class GenericPolicyProcessor implements IPolicyProcessor { if (rule instanceof IKeyArchivalPolicy) mKeyArchivalRules.removeRule(id); - // Delete the instance + // Delete the instance mInstanceTable.remove(id); } public void addPolicyInstance(String id, Hashtable ht) - throws EBaseException { + throws EBaseException { // The instance id should be unique if (getPolicyInstance(id) != null) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_DUPLICATE_INST_ID", id)); - // There should be an implmentation for this rule. + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_DUPLICATE_INST_ID", id)); + // There should be an implmentation for this rule. String implName = (String) ht.get(IPolicyRule.PROP_IMPLNAME); // See if there is an implementation with this name. IPolicyRule rule = getPolicyImpl(implName); if (rule == null) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_NO_POLICY_IMPL", implName)); - - // Prepare config file entries. - IConfigStore policyStore = - mGlobalStore.getSubStore(getPolicySubstoreId()); - IConfigStore instanceStore = - policyStore.getSubStore(PROP_RULE); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_NO_POLICY_IMPL", implName)); + + // Prepare config file entries. + IConfigStore policyStore = mGlobalStore + .getSubStore(getPolicySubstoreId()); + IConfigStore instanceStore = policyStore.getSubStore(PROP_RULE); IConfigStore newStore = instanceStore.makeSubStore(id); for (Enumeration keys = ht.keys(); keys.hasMoreElements();) { @@ -801,8 +783,7 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } // Set the order string. - policyStore.put(PROP_ORDER, - getRuleOrderString(mPolicyOrder, id)); + policyStore.put(PROP_ORDER, getRuleOrderString(mPolicyOrder, id)); // Try to initialize this rule. rule.init(this, newStore); @@ -811,11 +792,11 @@ public class GenericPolicyProcessor implements IPolicyProcessor { String enabledStr = (String) ht.get(IPolicyRule.PROP_ENABLE); boolean active = false; - if (enabledStr == null || enabledStr.trim().length() == 0 || - enabledStr.equalsIgnoreCase("true")) + if (enabledStr == null || enabledStr.trim().length() == 0 + || enabledStr.equalsIgnoreCase("true")) active = true; - // Set the predicate if any present on the rule. + // Set the predicate if any present on the rule. String predicate = ((String) ht.get(IPolicyRule.PROP_PREDICATE)).trim(); IExpression exp = null; @@ -827,15 +808,15 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { mGlobalStore.commit(true); } catch (Exception e) { - String[] params = {"instance", id}; + String[] params = { "instance", id }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_ADDING_POLICY_ERROR", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_ADDING_POLICY_ERROR", params)); } // Add the rule to the instance table. - PolicyInstance policyInst = new PolicyInstance(id, implName, - rule, active); + PolicyInstance policyInst = new PolicyInstance(id, implName, rule, + active); mInstanceTable.put(id, policyInst); @@ -850,84 +831,79 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } public void modifyPolicyInstance(String id, Hashtable ht) - throws EBaseException { + throws EBaseException { // The instance id should be there already - PolicyInstance policyInstance = (PolicyInstance) - mInstanceTable.get(id); + PolicyInstance policyInstance = (PolicyInstance) mInstanceTable.get(id); if (policyInstance == null) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_INSTANCE", id)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_INVALID_POLICY_INSTANCE", id)); IPolicyRule rule = policyInstance.getRule(); // The impl id shouldn't change String implId = (String) ht.get(IPolicyRule.PROP_IMPLNAME); if (!implId.equals(policyInstance.getImplId())) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_IMPLCHANGE_ERROR", id)); - - // Make a new rule instance + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_IMPLCHANGE_ERROR", id)); + + // Make a new rule instance IPolicyRule newRule = getPolicyImpl(implId); if (newRule == null) // Can't happen, but just in case.. - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_IMPL", implId)); - - // Try to init this rule. - IConfigStore policyStore = - mGlobalStore.getSubStore(getPolicySubstoreId()); - IConfigStore instanceStore = - policyStore.getSubStore(PROP_RULE); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_INVALID_POLICY_IMPL", implId)); + + // Try to init this rule. + IConfigStore policyStore = mGlobalStore + .getSubStore(getPolicySubstoreId()); + IConfigStore instanceStore = policyStore.getSubStore(PROP_RULE); IConfigStore oldStore = instanceStore.getSubStore(id); IConfigStore newStore = new PropConfigStore(id); - + // See if the rule is disabled. String enabledStr = (String) ht.get(IPolicyRule.PROP_ENABLE); boolean active = false; - if (enabledStr == null || enabledStr.trim().length() == 0 || - enabledStr.equalsIgnoreCase("true")) + if (enabledStr == null || enabledStr.trim().length() == 0 + || enabledStr.equalsIgnoreCase("true")) active = true; - // Set the predicate expression. + // Set the predicate expression. String predicate = ((String) ht.get(IPolicyRule.PROP_PREDICATE)).trim(); IExpression exp = null; if (predicate.trim().length() > 0) exp = PolicyPredicateParser.parse(predicate.trim()); - // See if this a persistent rule. + // See if this a persistent rule. if (mUndeletablePolicies.containsKey(id)) { // A persistent rule can't be disabled. if (!active) { - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_INACTIVE", id)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_PERSISTENT_RULE_INACTIVE", id)); } - IExpression defPred = (IExpression) - mUndeletablePolicies.get(id); + IExpression defPred = (IExpression) mUndeletablePolicies.get(id); if (defPred == SimpleExpression.NULL_EXPRESSION) defPred = null; if (exp == null && defPred != null) { - String[] params = {id, defPred.toString(), - "null" }; + String[] params = { id, defPred.toString(), "null" }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } else if (exp != null && defPred == null) { - String[] params = {id, "null", exp.toString()}; + String[] params = { id, "null", exp.toString() }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } else if (exp != null && defPred != null) { if (!defPred.toString().equals(exp.toString())) { - String[] params = {id, defPred.toString(), - exp.toString() }; + String[] params = { id, defPred.toString(), exp.toString() }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } } } @@ -935,9 +911,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // Predicate for the persistent rule can't be changed. ht.put(IPolicyRule.PROP_ENABLE, String.valueOf(active)); - // put old config store parameters first. - for (Enumeration oldkeys = oldStore.keys(); - oldkeys.hasMoreElements();) { + // put old config store parameters first. + for (Enumeration oldkeys = oldStore.keys(); oldkeys.hasMoreElements();) { String k = (String) oldkeys.nextElement(); String v = (String) oldStore.getString(k); @@ -945,15 +920,15 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } // put modified params. - for (Enumeration newkeys = ht.keys(); - newkeys.hasMoreElements();) { + for (Enumeration newkeys = ht.keys(); newkeys.hasMoreElements();) { String k = (String) newkeys.nextElement(); String v = (String) ht.get(k); Debug.trace("newstore key " + k + "=" + v); if (v != null) { - if (!k.equals(Constants.OP_TYPE) && !k.equals(Constants.OP_SCOPE) && - !k.equals(Constants.RS_ID) && !k.equals("RULENAME")) { + if (!k.equals(Constants.OP_TYPE) + && !k.equals(Constants.OP_SCOPE) + && !k.equals(Constants.RS_ID) && !k.equals("RULENAME")) { Debug.trace("newstore.put(" + k + "=" + v + ")"); newStore.put(k, v); } @@ -963,19 +938,15 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // include impl default params in case we missed any. /* - for (Enumeration keys = ht.keys(); keys.hasMoreElements();) - { - String key = (String)keys.nextElement(); - String val = (String)ht.get(key); - newStore.put(key, val); - } + * for (Enumeration keys = ht.keys(); keys.hasMoreElements();) { String + * key = (String)keys.nextElement(); String val = (String)ht.get(key); + * newStore.put(key, val); } */ - // Try to initialize this rule. newRule.init(this, newStore); - - // If we are successfully initialized, replace the rule + + // If we are successfully initialized, replace the rule // instance policyInstance.setRule(newRule); policyInstance.setActive(active); @@ -984,24 +955,23 @@ public class GenericPolicyProcessor implements IPolicyProcessor { if (exp != null) newRule.setPredicate(exp); - // Store the changes in the file. + // Store the changes in the file. try { for (Enumeration e = newStore.keys(); e.hasMoreElements();) { String key = (String) e.nextElement(); if (key != null) { - Debug.trace( - "oldstore.put(" + key + "," + - (String) newStore.getString(key) + ")"); + Debug.trace("oldstore.put(" + key + "," + + (String) newStore.getString(key) + ")"); oldStore.put(key, (String) newStore.getString(key)); } } mGlobalStore.commit(true); } catch (Exception e) { - String[] params = {"instance", id}; + String[] params = { "instance", id }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_ADDING_POLICY_ERROR", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_ADDING_POLICY_ERROR", params)); } // If rule is disabled, we need to remove it from the @@ -1032,9 +1002,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } } - public synchronized void changePolicyInstanceOrdering( - String policyOrderStr) - throws EBaseException { + public synchronized void changePolicyInstanceOrdering(String policyOrderStr) + throws EBaseException { Vector policyOrder = new Vector(); StringTokenizer tokens = new StringTokenizer(policyOrderStr, ","); @@ -1044,8 +1013,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // Check if we have that instance configured. if (!mInstanceTable.containsKey(instanceId)) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_INSTANCE", instanceId)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_INVALID_POLICY_INSTANCE", instanceId)); policyOrder.addElement(instanceId); } @@ -1065,12 +1034,12 @@ public class GenericPolicyProcessor implements IPolicyProcessor { // add system default rules first. try { for (int i = 0; i < mSystemDefaults.length; i++) { - String defRuleName = mSystemDefaults[i].substring( - mSystemDefaults[i].lastIndexOf('.') + 1); - IPolicyRule defRule = (IPolicyRule) - Class.forName(mSystemDefaults[i]).newInstance(); - IConfigStore ruleConfig = - mConfig.getSubStore(PROP_DEF_POLICIES + "." + defRuleName); + String defRuleName = mSystemDefaults[i] + .substring(mSystemDefaults[i].lastIndexOf('.') + 1); + IPolicyRule defRule = (IPolicyRule) Class.forName( + mSystemDefaults[i]).newInstance(); + IConfigStore ruleConfig = mConfig.getSubStore(PROP_DEF_POLICIES + + "." + defRuleName); defRule.init(this, ruleConfig); if (defRule instanceof IEnrollmentPolicy) @@ -1087,25 +1056,28 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } } catch (Throwable e) { Debug.printStackTrace(e); - EBaseException ex = new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "Cannot create default policy rule. Error: " + e.getMessage())); + EBaseException ex = new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", + "Cannot create default policy rule. Error: " + + e.getMessage())); - mAuthority.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_POLICY_DEF_CREATE", e.toString())); + mAuthority.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_POLICY_DEF_CREATE", e.toString())); throw ex; } // add rules specified in the new order. - for (Enumeration enum1 = policyOrder.elements(); - enum1.hasMoreElements();) { + for (Enumeration enum1 = policyOrder.elements(); enum1 + .hasMoreElements();) { String instanceName = (String) enum1.nextElement(); - PolicyInstance pInstance = (PolicyInstance) - mInstanceTable.get(instanceName); - + PolicyInstance pInstance = (PolicyInstance) mInstanceTable + .get(instanceName); + if (!pInstance.isActive()) continue; - // Add the rule to the policy set according to category if a - // rule is enabled. + // Add the rule to the policy set according to category if a + // rule is enabled. IPolicyRule rule = pInstance.getRule(); if (rule instanceof IEnrollmentPolicy) @@ -1129,8 +1101,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { mPolicyOrder = policyOrder; // Now change the ordering in the config file. - IConfigStore policyStore = - mGlobalStore.getSubStore(getPolicySubstoreId()); + IConfigStore policyStore = mGlobalStore + .getSubStore(getPolicySubstoreId()); policyStore.put(PROP_ORDER, policyOrderStr); @@ -1139,8 +1111,8 @@ public class GenericPolicyProcessor implements IPolicyProcessor { mGlobalStore.commit(true); } catch (Exception ex) { Debug.printStackTrace(ex); - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_ORDER_ERROR", policyOrderStr)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_ORDER_ERROR", policyOrderStr)); } } @@ -1178,38 +1150,37 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } /** - * Initializes the default system policies. Currently there is only - * one policy - ManualAuthentication. More may be added later on. - * - * The default policies may be disabled - for example to over-ride - * agent approval for testing the system by setting the following - * property in the config file: + * Initializes the default system policies. Currently there is only one + * policy - ManualAuthentication. More may be added later on. * - * <subsystemId>.Policy.systemPolicies.enable=false + * The default policies may be disabled - for example to over-ride agent + * approval for testing the system by setting the following property in the + * config file: * - * By default the value for this property is true. - * - * Users can over-ride the default system policies by listing their - * 'custom' system policies under the following property: + * <subsystemId>.Policy.systemPolicies.enable=false * - * <subsystemId>.Policy.systemPolicies=<system policy1 class path>, - * <system policy2 class path> - * - * There can only be one instance of the system policy in the system - * and will apply to all requests, and hence predicates are not used - * for a system policy. Due to the same reason, these properties are - * not configurable using the Console. + * By default the value for this property is true. + * + * Users can over-ride the default system policies by listing their 'custom' + * system policies under the following property: + * + * <subsystemId>.Policy.systemPolicies=<system policy1 class path>, <system + * policy2 class path> + * + * There can only be one instance of the system policy in the system and + * will apply to all requests, and hence predicates are not used for a + * system policy. Due to the same reason, these properties are not + * configurable using the Console. * * A System policy may read config properties from a subtree under * <subsystemId>.Policy.systemPolicies.<ClassName>. An example is * ra.Policy.systemPolicies.ManualAuthentication.param1=value */ - private void initSystemPolicies(IConfigStore mConfig) - throws EBaseException { + private void initSystemPolicies(IConfigStore mConfig) throws EBaseException { // If system policies are disabled, return. No Deferral of // requests may be done. - String enable = mConfig.getString(PROP_DEF_POLICIES + "." + - PROP_ENABLE, "true").trim(); + String enable = mConfig.getString( + PROP_DEF_POLICIES + "." + PROP_ENABLE, "true").trim(); if (enable.equalsIgnoreCase("false")) { mSystemDefaults = DEF_POLICIES; @@ -1217,17 +1188,16 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } // Load default policies that are always present. - String configuredDefaults = mConfig.getString(PROP_DEF_POLICIES, - null); + String configuredDefaults = mConfig.getString(PROP_DEF_POLICIES, null); - if (configuredDefaults == null || - configuredDefaults.trim().length() == 0) + if (configuredDefaults == null + || configuredDefaults.trim().length() == 0) mSystemDefaults = DEF_POLICIES; else { Vector rules = new Vector(); - StringTokenizer tokenizer = new - StringTokenizer(configuredDefaults.trim(), ","); - + StringTokenizer tokenizer = new StringTokenizer( + configuredDefaults.trim(), ","); + while (tokenizer.hasMoreTokens()) { String rule = tokenizer.nextToken().trim(); @@ -1236,11 +1206,11 @@ public class GenericPolicyProcessor implements IPolicyProcessor { if (rules.size() > 0) { mSystemDefaults = new String[rules.size()]; rules.copyInto(mSystemDefaults); - } else + } else mSystemDefaults = DEF_POLICIES; } - - // Now Initialize the rules. These defaults have only one + + // Now Initialize the rules. These defaults have only one // instance and the rule name is the name of the class itself. // Any configuration parameters required could be read from // <subsystemId>.Policy.default.RuleName. @@ -1253,134 +1223,131 @@ public class GenericPolicyProcessor implements IPolicyProcessor { try { Object o = Class.forName(mSystemDefaults[i]).newInstance(); - if (!(o instanceof IEnrollmentPolicy) && - !(o instanceof IRenewalPolicy) && - !(o instanceof IRevocationPolicy) && - !(o instanceof IKeyRecoveryPolicy) && - !(o instanceof IKeyArchivalPolicy)) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_INVALID_POLICY_IMPL", - mSystemDefaults[i])); - + if (!(o instanceof IEnrollmentPolicy) + && !(o instanceof IRenewalPolicy) + && !(o instanceof IRevocationPolicy) + && !(o instanceof IKeyRecoveryPolicy) + && !(o instanceof IKeyArchivalPolicy)) + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_INVALID_POLICY_IMPL", + mSystemDefaults[i])); + IPolicyRule rule = (IPolicyRule) o; - + // Initialize the rule. - ruleName = mSystemDefaults[i].substring( - mSystemDefaults[i].lastIndexOf('.') + 1); - IConfigStore ruleConfig = mConfig.getSubStore( - PROP_DEF_POLICIES + "." + ruleName); + ruleName = mSystemDefaults[i].substring(mSystemDefaults[i] + .lastIndexOf('.') + 1); + IConfigStore ruleConfig = mConfig.getSubStore(PROP_DEF_POLICIES + + "." + ruleName); rule.init(this, ruleConfig); - + // Add the rule to the appropriate PolicySet. addRule(ruleName, rule); } catch (EBaseException e) { throw e; } catch (Exception e) { Debug.printStackTrace(e); - throw new EPolicyException(CMS.getUserMessage("CMS_POLICY_NO_POLICY_IMPL", - ruleName)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_NO_POLICY_IMPL", ruleName)); } } } /** - * Read list of undeletable policies if any configured in the - * system. - * - * These are required to protect the system from being misconfigured - * to the point that the requests wouldn't serialize or certain - * fields in the certificate(s) being checked will go unchecked - * ..etc. - * - * For now the following policies are undeletable: - * - * DirAuthRule: This is a default DirectoryAuthentication policy - * for user certificates that interprets directory - * credentials. The presence of this policy is needed - * if the OOTB DirectoryAuthentication-based automatic - * certificate issuance is supported. - * - * DefaultUserNameRule: This policy verifies/sets subjectDn for user - * certificates. - * - * DefaultServerNameRule: This policy verifies/sets subjectDn for - * server certificates. - * - * DefaultValidityRule: Verifies/sets validty for all certificates. - * - * DefaultRenewalValidityRule: Verifies/sets validity for certs being - * renewed. - * - * The 'undeletables' cannot be deleted from the config file, nor - * can the be disabled. If any predicates are associated with them - * the predicates can't be changed either. But, other config parameters - * such as maxValidity, renewalInterval ..etc can be changed to suit - * local policy requirements. - * - * During start up the policy processor will verify if the undeletables - * are present, and that they are enabled and that their predicates are - * not changed. - * - * The rules mentioned above are currently hard coded. If these need to - * read from the config file, the 'undeletables' can be configured as - * as follows: - * - * <subsystemId>.Policy.undeletablePolicies=<comma separated rule names> - * Example: - * ra.Policy.undeletablePolicies=DirAuthRule, DefaultUserNameRule, DefaultServerNameRule, DefaultValidityRule, DefaultRenewalValidityRule - * - * The predicates if any associated with them may be configured as - * follows: - * <subsystemId>.Policy.undeletablePolicies.DirAuthRule.predicate= certType == client. - * - * where subsystemId is ra or ca. - * + * Read list of undeletable policies if any configured in the system. + * + * These are required to protect the system from being misconfigured to the + * point that the requests wouldn't serialize or certain fields in the + * certificate(s) being checked will go unchecked ..etc. + * + * For now the following policies are undeletable: + * + * DirAuthRule: This is a default DirectoryAuthentication policy for user + * certificates that interprets directory credentials. The presence of this + * policy is needed if the OOTB DirectoryAuthentication-based automatic + * certificate issuance is supported. + * + * DefaultUserNameRule: This policy verifies/sets subjectDn for user + * certificates. + * + * DefaultServerNameRule: This policy verifies/sets subjectDn for server + * certificates. + * + * DefaultValidityRule: Verifies/sets validty for all certificates. + * + * DefaultRenewalValidityRule: Verifies/sets validity for certs being + * renewed. + * + * The 'undeletables' cannot be deleted from the config file, nor can the be + * disabled. If any predicates are associated with them the predicates can't + * be changed either. But, other config parameters such as maxValidity, + * renewalInterval ..etc can be changed to suit local policy requirements. + * + * During start up the policy processor will verify if the undeletables are + * present, and that they are enabled and that their predicates are not + * changed. + * + * The rules mentioned above are currently hard coded. If these need to read + * from the config file, the 'undeletables' can be configured as as follows: + * + * <subsystemId>.Policy.undeletablePolicies=<comma separated rule names> + * Example: ra.Policy.undeletablePolicies=DirAuthRule, DefaultUserNameRule, + * DefaultServerNameRule, DefaultValidityRule, DefaultRenewalValidityRule + * + * The predicates if any associated with them may be configured as follows: + * <subsystemId>.Policy.undeletablePolicies.DirAuthRule.predicate= certType + * == client. + * + * where subsystemId is ra or ca. + * * If the undeletables are configured in the file,the configured entries - * take precedence over the hardcoded ones in this file. If you are - * configuring them in the file, please remember to configure the - * predicates if applicable. - * - * During policy configuration from MCC, the policy processor will not - * let you delete an 'undeletable', nor will it let you disable it. - * You will not be able to change the predicate either. Other parameters - * can be configured as needed. - * - * If a particular rule needs to be removed from the 'undeletables', - * either remove it from the hard coded list above, or configure the - * rules required rules only via the config file. The former needs - * recompilation of the source. The later is flexible to be able to - * make any rule an 'undeletable' or nor an 'undeletable'. - * - * Example: We want to use only manual forms for enrollment. - * We do n't need to burn in DirAuthRule. We need to configure all - * other rules except the DirAuthRule as follows: - * - * ra.Policy.undeletablePolicies = DefaultUserNameRule, DefaultServerNameRule, DefaultValidityRule, DefaultRenewalValidityRule - * + * take precedence over the hardcoded ones in this file. If you are + * configuring them in the file, please remember to configure the predicates + * if applicable. + * + * During policy configuration from MCC, the policy processor will not let + * you delete an 'undeletable', nor will it let you disable it. You will not + * be able to change the predicate either. Other parameters can be + * configured as needed. + * + * If a particular rule needs to be removed from the 'undeletables', either + * remove it from the hard coded list above, or configure the rules required + * rules only via the config file. The former needs recompilation of the + * source. The later is flexible to be able to make any rule an + * 'undeletable' or nor an 'undeletable'. + * + * Example: We want to use only manual forms for enrollment. We do n't need + * to burn in DirAuthRule. We need to configure all other rules except the + * DirAuthRule as follows: + * + * ra.Policy.undeletablePolicies = DefaultUserNameRule, + * DefaultServerNameRule, DefaultValidityRule, DefaultRenewalValidityRule + * * The following predicates are necessary: - * - * ra.Policy.undeletablePolicies.DefaultUserNameRule.predicate = certType == client - * ra.Policy.undeletablePolicies.DefaultServerNameRule.predicate = certType == server - * - * The other two rules do not have any predicates. + * + * ra.Policy.undeletablePolicies.DefaultUserNameRule.predicate = certType == + * client ra.Policy.undeletablePolicies.DefaultServerNameRule.predicate = + * certType == server + * + * The other two rules do not have any predicates. */ private void initUndeletablePolicies(IConfigStore mConfig) - throws EBaseException { + throws EBaseException { // Read undeletable policies if any configured. - String configuredUndeletables = - mConfig.getString(PROP_UNDELETABLE_POLICIES, null); + String configuredUndeletables = mConfig.getString( + PROP_UNDELETABLE_POLICIES, null); - if (configuredUndeletables == null || - configuredUndeletables.trim().length() == 0) { + if (configuredUndeletables == null + || configuredUndeletables.trim().length() == 0) { mUndeletablePolicies = DEF_UNDELETABLE_POLICIES; return; } Vector rules = new Vector(); - StringTokenizer tokenizer = new - StringTokenizer(configuredUndeletables.trim(), ","); - + StringTokenizer tokenizer = new StringTokenizer( + configuredUndeletables.trim(), ","); + while (tokenizer.hasMoreTokens()) { String rule = tokenizer.nextToken().trim(); @@ -1392,18 +1359,18 @@ public class GenericPolicyProcessor implements IPolicyProcessor { return; } - // For each rule read from the config file, see if any + // For each rule read from the config file, see if any // predicate is set. mUndeletablePolicies = new Hashtable(); for (Enumeration e = rules.elements(); e.hasMoreElements();) { String urn = (String) e.nextElement(); - + // See if there is predicate in the file - String pred = mConfig.getString(PROP_UNDELETABLE_POLICIES + - "." + urn + "." + PROP_PREDICATE, null); - + String pred = mConfig.getString(PROP_UNDELETABLE_POLICIES + "." + + urn + "." + PROP_PREDICATE, null); + IExpression exp = SimpleExpression.NULL_EXPRESSION; - + if (pred != null) exp = PolicyPredicateParser.parse(pred); mUndeletablePolicies.put(urn, exp); @@ -1437,30 +1404,27 @@ public class GenericPolicyProcessor implements IPolicyProcessor { return ret; } - private void verifyDefaultPolicyConfig() - throws EPolicyException { + private void verifyDefaultPolicyConfig() throws EPolicyException { // For each policy in undeletable list make sure that // the policy is present, is not disabled and its predicate // is not tampered with. - for (Enumeration e = mUndeletablePolicies.keys(); - e.hasMoreElements();) { + for (Enumeration e = mUndeletablePolicies.keys(); e.hasMoreElements();) { String urn = (String) e.nextElement(); // See if the rule is in the instance table. PolicyInstance inst = (PolicyInstance) mInstanceTable.get(urn); if (inst == null) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_MISSING_PERSISTENT_RULE", urn)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_MISSING_PERSISTENT_RULE", urn)); - // See if the instance is disabled. + // See if the instance is disabled. if (!inst.isActive()) - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_INACTIVE", urn)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_PERSISTENT_RULE_INACTIVE", urn)); - // See if the predicated is misconfigured. - IExpression defPred = (IExpression) - mUndeletablePolicies.get(urn); + // See if the predicated is misconfigured. + IExpression defPred = (IExpression) mUndeletablePolicies.get(urn); // We used SimpleExpression.NULL_EXPRESSION to indicate a null. if (defPred == SimpleExpression.NULL_EXPRESSION) @@ -1468,61 +1432,59 @@ public class GenericPolicyProcessor implements IPolicyProcessor { IExpression confPred = inst.getRule().getPredicate(); if (defPred == null && confPred != null) { - String[] params = {urn, "null", confPred.toString()}; + String[] params = { urn, "null", confPred.toString() }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } else if (defPred != null && confPred == null) { - String[] params = {urn, defPred.toString(), "null"}; + String[] params = { urn, defPred.toString(), "null" }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } else if (defPred != null && confPred != null) { if (!defPred.toString().equals(confPred.toString())) { - String[] params = {urn, defPred.toString(), - confPred.toString()}; + String[] params = { urn, defPred.toString(), + confPred.toString() }; - throw new EPolicyException( - CMS.getUserMessage("CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); + throw new EPolicyException(CMS.getUserMessage( + "CMS_POLICY_PERSISTENT_RULE_MISCONFIG", params)); } } } } } - /** * Class to keep track of various configurable implementations. */ class RegisteredPolicy { String mId; String mClPath; - public RegisteredPolicy (String id, String clPath) { + + public RegisteredPolicy(String id, String clPath) { if (id == null || clPath == null) - throw new - AssertionException("Policy id or classpath can't be null"); + throw new AssertionException("Policy id or classpath can't be null"); mId = id; mClPath = clPath; } - + public String getClassPath() { return mClPath; } - + public String getId() { return mId; } } - class PolicyInstance { String mInstanceId; String mImplId; IPolicyRule mRule; boolean mIsEnabled; - public PolicyInstance(String instanceId, String implId, - IPolicyRule rule, boolean isEnabled) { + public PolicyInstance(String instanceId, String implId, IPolicyRule rule, + boolean isEnabled) { mInstanceId = instanceId; mImplId = implId; mRule = rule; @@ -1558,9 +1520,8 @@ class PolicyInstance { public void setActive(boolean stat) { mIsEnabled = stat; } - + public void setRule(IPolicyRule newRule) { mRule = newRule; } -} - +} |