1 | package net.deterlab.abac; |
---|
2 | |
---|
3 | import java.io.*; |
---|
4 | import java.util.*; |
---|
5 | import java.lang.reflect.*; |
---|
6 | |
---|
7 | |
---|
8 | /** |
---|
9 | * A class for parsing and generating Credentials inside a Context. All |
---|
10 | * credential parsing should use a credential factory inside a context uses a |
---|
11 | * CredentialFactory. |
---|
12 | * @author <a href="http://abac.deterlab.net">ISI ABAC team</a> |
---|
13 | * @version 1.5 |
---|
14 | */ |
---|
15 | public class CredentialFactory implements Cloneable { |
---|
16 | protected List<CredentialFactorySpecialization> spec; |
---|
17 | |
---|
18 | /** |
---|
19 | * The xmlparsing routines helpfully close input streams when they |
---|
20 | * successfully parse a document from one. It's possible for a correctly |
---|
21 | * parsed XML document to need to be reparsed by later specialization, for |
---|
22 | * example because the XML was fine, but it was the wrong type of |
---|
23 | * credential. This makes the close operation a NOOP. |
---|
24 | */ |
---|
25 | static protected class UnclosableBufferedInputStream extends |
---|
26 | BufferedInputStream { |
---|
27 | public UnclosableBufferedInputStream(InputStream is) { |
---|
28 | super(is); |
---|
29 | } |
---|
30 | public UnclosableBufferedInputStream(InputStream is, int s) { |
---|
31 | super(is, s); |
---|
32 | } |
---|
33 | |
---|
34 | public void close() throws IOException { } |
---|
35 | }; |
---|
36 | /** The classes understood by the default CredentialFactory (in order) */ |
---|
37 | static public String[] defNames = new String[] { |
---|
38 | "net.deterlab.abac.GENICredentialv1_1", |
---|
39 | "net.deterlab.abac.GENICredentialv1_0", |
---|
40 | "net.deterlab.abac.X509Credential", |
---|
41 | "net.deterlab.abac.GENIPrivCredential", |
---|
42 | }; |
---|
43 | |
---|
44 | /** Maximum credential size that can be rewound for reparsing */ |
---|
45 | public static final int maxSize = 50 * 1024; |
---|
46 | |
---|
47 | /** |
---|
48 | * Create a Credential Factory that parses the default type(s) |
---|
49 | * @throws ABACException if the object cannot be created |
---|
50 | */ |
---|
51 | public CredentialFactory() throws ABACException { |
---|
52 | spec = new ArrayList<CredentialFactorySpecialization>(); |
---|
53 | for ( String name: defNames) |
---|
54 | registerClass(name); |
---|
55 | } |
---|
56 | |
---|
57 | /** |
---|
58 | * Create a Credential Factory that parses the given type(s). Each String |
---|
59 | * should be the binary name for a class that exports a static |
---|
60 | * getCredentialParser method that returns a CredentialParser for the |
---|
61 | * class. |
---|
62 | * @param names a Collection of Strings naming the classes to parse |
---|
63 | * @throws ABACException if the object cannot be created |
---|
64 | */ |
---|
65 | public CredentialFactory(Collection<String> names) throws ABACException { |
---|
66 | spec = new ArrayList<CredentialFactorySpecialization>(); |
---|
67 | for (String n : names ) |
---|
68 | registerClass(n); |
---|
69 | } |
---|
70 | |
---|
71 | /** |
---|
72 | * Create a Credential Factory that parses the given type(s). Each String |
---|
73 | * should be the binary name for a class that exports a static |
---|
74 | * getCredentialParser method that returns a CredentialParser for the |
---|
75 | * class. |
---|
76 | * @param names an Array of Strings naming the classes to parse |
---|
77 | * @throws ABACException if the object cannot be created |
---|
78 | */ |
---|
79 | public CredentialFactory(String[] names) throws ABACException { |
---|
80 | spec = new ArrayList<CredentialFactorySpecialization>(); |
---|
81 | for (String n : names ) |
---|
82 | registerClass(n); |
---|
83 | } |
---|
84 | |
---|
85 | /** |
---|
86 | * Create a Credential Factory that is a clone of the given |
---|
87 | * CredentialFactory. |
---|
88 | * @param cf the CredentialFactory to copy |
---|
89 | * @throws ABACException if the object cannot be created |
---|
90 | */ |
---|
91 | public CredentialFactory(CredentialFactory cf) throws ABACException { |
---|
92 | this(); |
---|
93 | |
---|
94 | spec = new ArrayList<CredentialFactorySpecialization>(); |
---|
95 | |
---|
96 | for ( int i = 0; i < spec.size(); i++) |
---|
97 | spec.add(cf.spec.get(i)); |
---|
98 | } |
---|
99 | |
---|
100 | /** |
---|
101 | * Make a copy of this CredentialFactory |
---|
102 | * @return a CredentialFactory, a copy of this one |
---|
103 | */ |
---|
104 | public Object clone() throws CloneNotSupportedException { |
---|
105 | CredentialFactory cf = null; |
---|
106 | try { |
---|
107 | cf = new CredentialFactory(this); |
---|
108 | } |
---|
109 | catch (ABACException ae) { |
---|
110 | return null; |
---|
111 | } |
---|
112 | return cf; |
---|
113 | } |
---|
114 | |
---|
115 | |
---|
116 | /** |
---|
117 | * Parse an input stream using each possible credential format and the |
---|
118 | * available identities for validation. Return the credentials found or |
---|
119 | * throw an ABACException with the problem. It wraps the input stream in a |
---|
120 | * BufferedInputStream in order to retry is a parser fails. Credentials |
---|
121 | * larger than maxSize will nor be able to be reparsed. |
---|
122 | * @param is an InputStream to parse |
---|
123 | * @param ids a Collection of Identities for validation |
---|
124 | * @return an Array of Credentials parsed |
---|
125 | * @throws CertInvalidException if the stream is unparsable |
---|
126 | * @throws MissingIssuerException if none of the Identities can validate the |
---|
127 | * @throws BadSignatureException if the signature check fails |
---|
128 | */ |
---|
129 | public Credential[] parseCredential(InputStream is, |
---|
130 | Collection<Identity> ids) throws ABACException { |
---|
131 | Credential[] rv = null; |
---|
132 | ABACException err = null; |
---|
133 | UnclosableBufferedInputStream bs = |
---|
134 | new UnclosableBufferedInputStream(is, maxSize); |
---|
135 | |
---|
136 | bs.mark(maxSize); |
---|
137 | for (CredentialFactorySpecialization c : spec ) { |
---|
138 | try { |
---|
139 | rv = c.parseCredential(bs, ids); |
---|
140 | break; |
---|
141 | } |
---|
142 | catch (ABACException e ) { |
---|
143 | err = e; |
---|
144 | rv = null; |
---|
145 | } |
---|
146 | try { |
---|
147 | if (spec.size() > 1) bs.reset(); |
---|
148 | } |
---|
149 | catch (IOException ie) { |
---|
150 | break; |
---|
151 | } |
---|
152 | } |
---|
153 | |
---|
154 | if ( rv != null ) |
---|
155 | return rv; |
---|
156 | else |
---|
157 | throw (err != null) ? err : |
---|
158 | new ABACException("null exception and failed construction??"); |
---|
159 | } |
---|
160 | |
---|
161 | |
---|
162 | /** |
---|
163 | * Parse a File using each possible credential format and the |
---|
164 | * available identities for validation. Return the credentials found or |
---|
165 | * throw an ABACException with the problem. Calls the InputStream version |
---|
166 | * internally. |
---|
167 | * @param f a File to parse |
---|
168 | * @param ids a Collection of Identities for validation |
---|
169 | * @return an Array of Credentials parsed |
---|
170 | * @throws CertInvalidException if the stream is unparsable |
---|
171 | * @throws MissingIssuerException if none of the Identities can validate the |
---|
172 | * @throws BadSignatureException if the signature check fails |
---|
173 | */ |
---|
174 | public Credential[] parseCredential(File f, |
---|
175 | Collection<Identity> ids) throws ABACException { |
---|
176 | try { |
---|
177 | return parseCredential(new FileInputStream(f), ids); |
---|
178 | } |
---|
179 | catch (FileNotFoundException e) { |
---|
180 | throw new CertInvalidException(e.getMessage(), e); |
---|
181 | } |
---|
182 | } |
---|
183 | /** |
---|
184 | * Parse a file named fn using each possible credential format and the |
---|
185 | * available identities for validation. Return the credentials found or |
---|
186 | * throw an ABACException with the problem. Calls the InputStream version |
---|
187 | * internally. |
---|
188 | * @param fn a String holding the filename to parse |
---|
189 | * @param ids a Collection of Identities for validation |
---|
190 | * @return an Array of Credentials parsed |
---|
191 | * @throws CertInvalidException if the stream is unparsable |
---|
192 | * @throws MissingIssuerException if none of the Identities can validate the |
---|
193 | * @throws BadSignatureException if the signature check fails |
---|
194 | */ |
---|
195 | public Credential[] parseCredential(String fn, |
---|
196 | Collection<Identity> ids) throws ABACException { |
---|
197 | return parseCredential(new File(fn), ids); |
---|
198 | } |
---|
199 | |
---|
200 | /** |
---|
201 | * Return a credential from the first class registered in |
---|
202 | * the factory. |
---|
203 | * @param head a Role, the head of the encoded ABAC statement |
---|
204 | * @param tail a Role, the tail of the decoded ABAC statement |
---|
205 | * @param aliases a KeyIDMap holding aliases for this creation |
---|
206 | * @return a Credential encoding that ABAC statement |
---|
207 | */ |
---|
208 | public Credential generateCredential(Role head, Role tail, |
---|
209 | KeyIDMap aliases) { |
---|
210 | if (spec.isEmpty()) return null; |
---|
211 | return spec.get(0).generateCredential(head, tail, aliases); |
---|
212 | } |
---|
213 | |
---|
214 | /** |
---|
215 | * Add the named class to the list of usable specializations. The class |
---|
216 | * passed in must have a static getCredentialFactorySpecialization() method |
---|
217 | * that returns a CredentialFactorySpecialization to use. |
---|
218 | * @param name a String containing the binary name of the class to register |
---|
219 | * @throws ABACException if there is a problem. The cause field of this |
---|
220 | * exception is set to the classloading exception, if any. |
---|
221 | */ |
---|
222 | public void registerClass(String name) |
---|
223 | throws ABACException { |
---|
224 | CredentialFactorySpecialization cs = null; |
---|
225 | |
---|
226 | try { |
---|
227 | /* <?> doesn't guarantee much, but shuts the compiler up */ |
---|
228 | Class<?> c = Class.forName(name); |
---|
229 | Method m = c.getMethod("getCredentialFactorySpecialization"); |
---|
230 | |
---|
231 | cs = (CredentialFactorySpecialization) m.invoke(null); |
---|
232 | } |
---|
233 | catch (Exception e) { |
---|
234 | throw new ABACException("Could not register credential type" + |
---|
235 | e.getMessage(), e); |
---|
236 | } |
---|
237 | |
---|
238 | spec.add(cs); |
---|
239 | } |
---|
240 | } |
---|