org.eclipse.om2m.core/src/main/java/org/eclipse/om2m/core/dynamicauthorization/DynamicAuthorizationSelector.java - gerrit/om2m/org.eclipse.om2m - Git at Google

 /*******************************************************************************
  * Copyright (c) 2014, 2016 Orange.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-v10.html
  *******************************************************************************/
 package org.eclipse.om2m.core.dynamicauthorization;

 import java.math.BigInteger;
 import java.util.List;

 import org.eclipse.om2m.commons.constants.Constants;
 import org.eclipse.om2m.commons.constants.MimeMediaType;
 import org.eclipse.om2m.commons.constants.Operation;
 import org.eclipse.om2m.commons.constants.ResponseStatusCode;
 import org.eclipse.om2m.commons.constants.SecurityInfoType;
 import org.eclipse.om2m.commons.entities.DynamicAuthorizationConsultationEntity;
 import org.eclipse.om2m.commons.entities.ResourceEntity;
 import org.eclipse.om2m.commons.exceptions.AccessDeniedException;
 import org.eclipse.om2m.commons.resource.AccessControlRule;
 import org.eclipse.om2m.commons.resource.DynAuthDasRequest;
 import org.eclipse.om2m.commons.resource.DynAuthDasResponse.DynamicACPInfo;
 import org.eclipse.om2m.commons.resource.RequestPrimitive;
 import org.eclipse.om2m.commons.resource.ResponsePrimitive;
 import org.eclipse.om2m.commons.resource.SecurityInfo;
 import org.eclipse.om2m.commons.resource.SetOfAcrs;
 import org.eclipse.om2m.core.redirector.Redirector;

 public class DynamicAuthorizationSelector {

 	/**
 	 * singleton
 	 */
 	private static final DynamicAuthorizationSelector INSTANCE = new DynamicAuthorizationSelector();

 	/**
 	 *
 	 * @return singleton
 	 */
 	public static DynamicAuthorizationSelector getInstance() {
 		return INSTANCE;
 	}

 	/**
 	 * Make private the default constructor.
 	 */
 	private DynamicAuthorizationSelector() {
 	}

 	/**
 	 * Perform authorize request to the Dynamic Authorization Servers
 	 * represented by the provided DynamicAuthorizationConsultation entities.
 	 *
 	 *
 	 * @param dacesToBeUsed
 	 *            dynamicAuthorizationConsultation entities to be used for the
 	 *            authorization process
 	 * @param request
 	 *            request to be performed if the authorization is granted
 	 * @param resourceEntity
 	 *            resource involved in the request
 	 * @return list of ACPs extracted from dynamicAcpInfo
 	 */
 	public void authorize(List<DynamicAuthorizationConsultationEntity> dacesToBeUsed, RequestPrimitive request,
 			ResourceEntity resourceEntity) throws AccessDeniedException {

 		// iterate over daces list in order to perform authorization process
 		for (DynamicAuthorizationConsultationEntity dace : dacesToBeUsed) {
 			// check if the DynamicAuthorizationConsultation entity is enabled
 			if (dace.getDynamicAuthorizationEnabled()) {
 				if (authorize(dace, request, resourceEntity)) {
 					return;
 				}
 			}
 		}

 		throw new AccessDeniedException();

 	}

 	/**
 	 * Perform authorize request to a specific server
 	 *
 	 * @param dace
 	 *            dynamicAuthorizationConsultation entity to be used for the
 	 *            authorization process
 	 * @param request
 	 *            request
 	 * @param resourceEntity
 	 *            resource
 	 * @return true if the server grants the authorization else false (all other
 	 *         cases)
 	 */
 	private boolean authorize(DynamicAuthorizationConsultationEntity dace, RequestPrimitive request,
 			ResourceEntity resourceEntity) {


 		SecurityInfo securityInfo = new SecurityInfo();
 		securityInfo.setSecurityInfoType(SecurityInfoType.DYNAMIC_AUTHORIZATION_REQUEST);
 		securityInfo.setDasRequest(new DynAuthDasRequest());
 		securityInfo.getDasRequest().setOperation(request.getOperation());
 		securityInfo.getDasRequest().setOriginator(request.getFrom());
 		securityInfo.getDasRequest().setTargetedResourceID(resourceEntity.getResourceID());
 		securityInfo.getDasRequest().setTargetedResourceType(resourceEntity.getResourceType());

 		List<String> pointOfAccesses = dace.getDynamicAuthorizationPoA();
 		for (String pointOfAccess : pointOfAccesses) {
 			RequestPrimitive notifyRequest = new RequestPrimitive();
 			notifyRequest.setOperation(Operation.NOTIFY);
 			notifyRequest.setTargetId(pointOfAccess);
 			notifyRequest.setFrom(Constants.ADMIN_REQUESTING_ENTITY);
 			notifyRequest.setContent(securityInfo);
 			notifyRequest.setRequestContentType(MimeMediaType.OBJ);
 			notifyRequest.setReturnContentType(MimeMediaType.OBJ);

 			ResponsePrimitive response = Redirector.retargetNotify(notifyRequest);
 			if (ResponseStatusCode.OK.equals(response.getResponseStatusCode())) {
 				SecurityInfo responseSecurityInfo = (SecurityInfo) response.getContent();
 				if (responseSecurityInfo == null) {
 					// no dynamic acp
 					continue;
 				}
 				if (!SecurityInfoType.DYNAMIC_AUTHORIZATION_RESPONSE
 						.equals(responseSecurityInfo.getSecurityInfoType())) {
 					// invalid type
 					continue;
 				}


 				DynamicACPInfo dynamicAcpInfo = responseSecurityInfo.getDasResponse().getDynamicACPInfo();
 				if (dynamicAcpInfo == null) {
 					// no dynamicAcpInfo
 					continue;
 				}
 				try {
 					checkACPs(dynamicAcpInfo, request.getFrom(), request.getOperation());
 					return true;
 				} catch (AccessDeniedException e) {
 					// we continue to iterate over dac point of accesses
 				}
 			}
 		}

 		return false;
 	}


 	/**
 	 * Checks the Access Right based on ACP list (Permission)
 	 * @param acp - Id of the accessRight
 	 * @param originator - requesting entity used by the requester
 	 * @param operation - requested method
 	 * @return error with a specific status code if the requesting Entity or the method does not exist otherwise null
 	 */
 	public void checkACPs(DynamicACPInfo dynamicAcpInfo, String originator, BigInteger operation)
 			throws AccessDeniedException{
 		if(originator == null){
 			throw new AccessDeniedException();
 		}
 		if (dynamicAcpInfo == null) {
 			throw new AccessDeniedException("dynamicAcpInfo is false");
 		}
 		// Check Resource accessRight existence not found
 		boolean originatorFound = false;
 		boolean operationAllowed = false;

 		SetOfAcrs setOfAcrs = dynamicAcpInfo.getGrantedPrivileges();
 		if (setOfAcrs == null) {
 			throw new AccessDeniedException("set of acrs is null");
 		}
 		for (AccessControlRule rule : setOfAcrs.getAccessControlRule()){
 			originatorFound = false ;
 			operationAllowed = false;
 			for (String  originatorRule : rule.getAccessControlOriginators()){
 				if (originator.matches(originatorRule.replace("*", ".*"))){
 					originatorFound = true;
 					break;
 				}
 			}
 			if (originatorFound){
 				if (rule.getAccessControlOperations().equals(operation)) {
 					operationAllowed = true;
 				}
 			}
 			if (originatorFound && operationAllowed){
 				break;
 			}
 		}
 		if (originatorFound && operationAllowed){
 			return;
 		}

 		throw new AccessDeniedException();
 	}
 }
	/*******************************************************************************
	* Copyright (c) 2014, 2016 Orange.
	* All rights reserved. This program and the accompanying materials
	* are made available under the terms of the Eclipse Public License v1.0
	* which accompanies this distribution, and is available at
	* http://www.eclipse.org/legal/epl-v10.html
	*******************************************************************************/
	package org.eclipse.om2m.core.dynamicauthorization;

	import java.math.BigInteger;
	import java.util.List;

	import org.eclipse.om2m.commons.constants.Constants;
	import org.eclipse.om2m.commons.constants.MimeMediaType;
	import org.eclipse.om2m.commons.constants.Operation;
	import org.eclipse.om2m.commons.constants.ResponseStatusCode;
	import org.eclipse.om2m.commons.constants.SecurityInfoType;
	import org.eclipse.om2m.commons.entities.DynamicAuthorizationConsultationEntity;
	import org.eclipse.om2m.commons.entities.ResourceEntity;
	import org.eclipse.om2m.commons.exceptions.AccessDeniedException;
	import org.eclipse.om2m.commons.resource.AccessControlRule;
	import org.eclipse.om2m.commons.resource.DynAuthDasRequest;
	import org.eclipse.om2m.commons.resource.DynAuthDasResponse.DynamicACPInfo;
	import org.eclipse.om2m.commons.resource.RequestPrimitive;
	import org.eclipse.om2m.commons.resource.ResponsePrimitive;
	import org.eclipse.om2m.commons.resource.SecurityInfo;
	import org.eclipse.om2m.commons.resource.SetOfAcrs;
	import org.eclipse.om2m.core.redirector.Redirector;

	public class DynamicAuthorizationSelector {

	/**
	* singleton
	*/
	private static final DynamicAuthorizationSelector INSTANCE = new DynamicAuthorizationSelector();

	/**
	*
	* @return singleton
	*/
	public static DynamicAuthorizationSelector getInstance() {
	return INSTANCE;
	}

	/**
	* Make private the default constructor.
	*/
	private DynamicAuthorizationSelector() {
	}

	/**
	* Perform authorize request to the Dynamic Authorization Servers
	* represented by the provided DynamicAuthorizationConsultation entities.
	*
	*
	* @param dacesToBeUsed
	* dynamicAuthorizationConsultation entities to be used for the
	* authorization process
	* @param request
	* request to be performed if the authorization is granted
	* @param resourceEntity
	* resource involved in the request
	* @return list of ACPs extracted from dynamicAcpInfo
	*/
	public void authorize(List<DynamicAuthorizationConsultationEntity> dacesToBeUsed, RequestPrimitive request,
	ResourceEntity resourceEntity) throws AccessDeniedException {

	// iterate over daces list in order to perform authorization process
	for (DynamicAuthorizationConsultationEntity dace : dacesToBeUsed) {
	// check if the DynamicAuthorizationConsultation entity is enabled
	if (dace.getDynamicAuthorizationEnabled()) {
	if (authorize(dace, request, resourceEntity)) {
	return;
	}
	}
	}

	throw new AccessDeniedException();

	}

	/**
	* Perform authorize request to a specific server
	*
	* @param dace
	* dynamicAuthorizationConsultation entity to be used for the
	* authorization process
	* @param request
	* request
	* @param resourceEntity
	* resource
	* @return true if the server grants the authorization else false (all other
	* cases)
	*/
	private boolean authorize(DynamicAuthorizationConsultationEntity dace, RequestPrimitive request,
	ResourceEntity resourceEntity) {


	SecurityInfo securityInfo = new SecurityInfo();
	securityInfo.setSecurityInfoType(SecurityInfoType.DYNAMIC_AUTHORIZATION_REQUEST);
	securityInfo.setDasRequest(new DynAuthDasRequest());
	securityInfo.getDasRequest().setOperation(request.getOperation());
	securityInfo.getDasRequest().setOriginator(request.getFrom());
	securityInfo.getDasRequest().setTargetedResourceID(resourceEntity.getResourceID());
	securityInfo.getDasRequest().setTargetedResourceType(resourceEntity.getResourceType());

	List<String> pointOfAccesses = dace.getDynamicAuthorizationPoA();
	for (String pointOfAccess : pointOfAccesses) {
	RequestPrimitive notifyRequest = new RequestPrimitive();
	notifyRequest.setOperation(Operation.NOTIFY);
	notifyRequest.setTargetId(pointOfAccess);
	notifyRequest.setFrom(Constants.ADMIN_REQUESTING_ENTITY);
	notifyRequest.setContent(securityInfo);
	notifyRequest.setRequestContentType(MimeMediaType.OBJ);
	notifyRequest.setReturnContentType(MimeMediaType.OBJ);

	ResponsePrimitive response = Redirector.retargetNotify(notifyRequest);
	if (ResponseStatusCode.OK.equals(response.getResponseStatusCode())) {
	SecurityInfo responseSecurityInfo = (SecurityInfo) response.getContent();
	if (responseSecurityInfo == null) {
	// no dynamic acp
	continue;
	}
	if (!SecurityInfoType.DYNAMIC_AUTHORIZATION_RESPONSE
	.equals(responseSecurityInfo.getSecurityInfoType())) {
	// invalid type
	continue;
	}


	DynamicACPInfo dynamicAcpInfo = responseSecurityInfo.getDasResponse().getDynamicACPInfo();
	if (dynamicAcpInfo == null) {
	// no dynamicAcpInfo
	continue;
	}
	try {
	checkACPs(dynamicAcpInfo, request.getFrom(), request.getOperation());
	return true;
	} catch (AccessDeniedException e) {
	// we continue to iterate over dac point of accesses
	}
	}
	}

	return false;
	}


	/**
	* Checks the Access Right based on ACP list (Permission)
	* @param acp - Id of the accessRight
	* @param originator - requesting entity used by the requester
	* @param operation - requested method
	* @return error with a specific status code if the requesting Entity or the method does not exist otherwise null
	*/
	public void checkACPs(DynamicACPInfo dynamicAcpInfo, String originator, BigInteger operation)
	throws AccessDeniedException{
	if(originator == null){
	throw new AccessDeniedException();
	}
	if (dynamicAcpInfo == null) {
	throw new AccessDeniedException("dynamicAcpInfo is false");
	}
	// Check Resource accessRight existence not found
	boolean originatorFound = false;
	boolean operationAllowed = false;

	SetOfAcrs setOfAcrs = dynamicAcpInfo.getGrantedPrivileges();
	if (setOfAcrs == null) {
	throw new AccessDeniedException("set of acrs is null");
	}
	for (AccessControlRule rule : setOfAcrs.getAccessControlRule()){
	originatorFound = false ;
	operationAllowed = false;
	for (String originatorRule : rule.getAccessControlOriginators()){
	if (originator.matches(originatorRule.replace("", "."))){
	originatorFound = true;
	break;
	}
	}
	if (originatorFound){
	if (rule.getAccessControlOperations().equals(operation)) {
	operationAllowed = true;
	}
	}
	if (originatorFound && operationAllowed){
	break;
	}
	}
	if (originatorFound && operationAllowed){
	return;
	}

	throw new AccessDeniedException();
	}
	}