/*
* Adito
*
* Copyright (C) 2003-2006 3SP LTD. All Rights Reserved
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2 of
* the License, or (at your option) any later version.
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public
* License along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
package com.adito.jdbc;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.sql.ResultSet;
import java.sql.Timestamp;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.cache.Cache;
import org.apache.commons.cache.CacheStat;
import org.apache.commons.cache.MemoryStash;
import org.apache.commons.cache.SimpleCache;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.adito.boot.ContextHolder;
import com.adito.boot.PropertyList;
import com.adito.boot.SystemProperties;
import com.adito.core.CoreEvent;
import com.adito.core.CoreEventConstants;
import com.adito.core.CoreListener;
import com.adito.core.CoreServlet;
import com.adito.core.UserDatabaseManager;
import com.adito.policyframework.AbstractPolicyDatabase;
import com.adito.policyframework.AccessRight;
import com.adito.policyframework.AccessRights;
import com.adito.policyframework.DefaultAccessRights;
import com.adito.policyframework.DefaultPolicy;
import com.adito.policyframework.Permission;
import com.adito.policyframework.Policy;
import com.adito.policyframework.PolicyConstants;
import com.adito.policyframework.PolicyUtil;
import com.adito.policyframework.Principal;
import com.adito.policyframework.Resource;
import com.adito.policyframework.ResourceAttachedToPolicyEvent;
import com.adito.policyframework.ResourceDetachedFromPolicyEvent;
import com.adito.policyframework.ResourceType;
import com.adito.policyframework.forms.AbstractWizardPersonalResourcePolicyForm;
import com.adito.realms.Realm;
import com.adito.security.LogonControllerFactory;
import com.adito.security.Role;
import com.adito.security.SessionInfo;
import com.adito.security.User;
import com.adito.security.UserDatabase;
import com.adito.security.UserNotFoundException;
/**
* Concrete implementation of a
* {@link com.adito.policyframework.PolicyDatabase} that stores policy
* information in a JDBC compliant database.
*/
public class JDBCPolicyDatabase extends AbstractPolicyDatabase {
final static Log log = LogFactory.getLog(JDBCPolicyDatabase.class);
private JDBCDatabaseEngine db;
final static Long CACHE_TTL = new Long(SystemProperties.get(
"adito.jdbcPolicyDatabase.cacheTTL", "180000"));
final static Integer CACHE_MAXOBJS = new Integer(SystemProperties.get(
"adito.jdbcPolicyDatabase.cacheMaxObjs", "2000"));
final static Long CACHE_COST = new Long(0);
// Caches
private Cache policyCache;
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#getPolicy(int)
*/
public Policy getPolicy(int id) throws Exception {
String cacheKey = "policy-" + id;
Policy pol = (Policy) policyCache.retrieve(cacheKey);
if (pol == null) {
// Get the top level policy
JDBCPreparedStatement ps = db.getStatement("getPolicy.selectById");
ps.setInt(1, id);
try {
ResultSet rs = ps.executeQuery();
if (rs.next()) {
pol = buildPolicy(rs);
}
} finally {
ps.releasePreparedStatement();
}
if (pol != null) {
storeToCache(cacheKey, (Serializable) pol);
}
}
return pol;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#getPolicies(com.adito.realms.Realm)
*/
public List<Policy> getPolicies(Realm realm) throws Exception {
String cacheKey = "policyByRealm-" + realm.getResourceId();
List<Policy> l = (List<Policy>) policyCache.retrieve(cacheKey);
if (l == null) {
// Get the top level policy
JDBCPreparedStatement ps = db.getStatement("getPolicy.selectByRealmId");
ps.setInt(1, realm.getResourceId());
l = new ArrayList<Policy>();
try {
ResultSet rs = ps.executeQuery();
while (rs.next()) {
l.add(buildPolicy(rs));
}
} finally {
ps.releasePreparedStatement();
}
storeToCache(cacheKey, (Serializable) l);
}
return l;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#getPoliciesExcludePersonal(com.adito.realms.Realm)
*/
public List<Policy> getPoliciesExcludePersonal(Realm realm) throws Exception {
String cacheKey = "policyByRealm-" + realm.getRealmID() + "-excludeType" + Policy.TYPE_PERSONAL;
List<Policy> l = (List<Policy>) policyCache.retrieve(cacheKey);
if (l == null) {
// Get the top level policy
JDBCPreparedStatement ps = db.getStatement("getPolicy.excludeType.selectByRealmId");
ps.setInt(1, realm.getRealmID());
ps.setInt(2, Policy.TYPE_PERSONAL);
l = new ArrayList<Policy>();
try {
ResultSet rs = ps.executeQuery();
while (rs.next()) {
l.add(buildPolicy(rs));
}
} finally {
ps.releasePreparedStatement();
}
storeToCache(cacheKey, (Serializable) l);
}
return l;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#getPolicies()
*/
public List<Policy> getPolicies() throws Exception {
String cacheKey = "policies";
List<Policy> l = (List<Policy>) policyCache.retrieve(cacheKey);
if (l == null) {
// Get the top level policy
JDBCPreparedStatement ps = db.getStatement("getPolicies.select");
l = new ArrayList<Policy>();
try {
ResultSet rs = ps.executeQuery();
while (rs.next()) {
l.add(buildPolicy(rs));
}
} finally {
ps.releasePreparedStatement();
}
storeToCache(cacheKey, (Serializable) l);
}
return l;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#createPolicy(java.lang.String, java.lang.String, int, int)
*/
public Policy createPolicy(String name, String description, int type, int realmID) throws Exception {
policyCache.clear();
JDBCPreparedStatement ps = db.getStatement("createPolicy.insert");
ps.startTransaction();
ps.setInt(1, type);
ps.setString(2, name);
ps.setString(3, description);
Calendar c = Calendar.getInstance();
ps.setString(4, db.formatTimestamp(c));
ps.setString(5, db.formatTimestamp(c));
ps.setInt(6, realmID);
try {
try {
ps.execute();
int id = db.getLastInsertId(ps, "createPolicy.lastInsertId");
ps.commit();
return new DefaultPolicy(id, name, description, type, c, c, realmID);
} finally {
ps.releasePreparedStatement();
}
} catch (Exception e) {
ps.rollback();
throw e;
} finally {
ps.endTransaction();
}
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#updatePolicy(com.adito.policyframework.Policy)
*/
public void updatePolicy(Policy policy) throws Exception {
Policy oldPolicy = getPolicy(policy.getResourceId());
if (oldPolicy == null) {
throw new Exception("Cannot update a policy that doesnt exist");
}
policyCache.clear();
JDBCPreparedStatement ps = db.getStatement("updatePolicy.update");
ps.setInt(1, policy.getType());
ps.setString(2, policy.getResourceName());
ps.setString(3, policy.getResourceDescription());
Calendar c = Calendar.getInstance();
ps.setString(4, db.formatTimestamp(c));
ps.setInt(5, policy.getResourceId());
try {
ps.execute();
policy.setDateAmended(c);
} finally {
ps.releasePreparedStatement();
}
}
public Policy deletePolicy(int id) throws Exception {
Policy oldPolicy = getPolicy(id);
if (oldPolicy == null) {
throw new Exception("Cannot delete a policy that doesnt exist");
}
policyCache.clear();
// Now delete this policy
JDBCPreparedStatement ps = db.getStatement("deletePolicy.delete");
ps.setInt(1, id);
try {
ps.execute();
ps = db.getStatement("deletePolicy.relationships1");
ps.setInt(1, id);
ps.execute();
ps = db.getStatement("deletePolicy.relationships2");
ps.setInt(1, id);
ps.execute();
} finally {
ps.releasePreparedStatement();
}
return oldPolicy;
}
/**
* Get if a principal has been graded a policy.
*
* @param policy policy
* @param principal principal
* @return granted
* @throws Exception on any error
*/
private boolean isPolicyGrantedToPrincipal(Policy policy, Principal principal)
throws Exception {
if(principal==null) {
if(log.isInfoEnabled())
log.info("NULL principal found!");
return false;
}
if (policy.getResourceId() == getEveryonePolicyIDForRealm(principal.getRealm())) {
return true;
}
String cacheKey = "policyGrantedToPrincipal-" + policy.getResourceId()
+ "-" + principal.getPrincipalName() + "-" + principal.getRealm().getResourceId();
Boolean val = (Boolean) policyCache.retrieve(cacheKey);
if (val == null) {
JDBCPreparedStatement ps = db
.getStatement("isPolicyGrantedToPrincipal.select");
ps.setInt(1, policy.getResourceId());
ps.setString(2, principal.getPrincipalName());
boolean found = false;
try {
ResultSet rs = ps.executeQuery();
try {
found = rs.next();
} finally {
rs.close();
}
} finally {
ps.releasePreparedStatement();
}
storeToCache(cacheKey, Boolean.valueOf(found));
val = Boolean.valueOf(found);
}
return val.booleanValue();
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#grantPolicyToPrincipal(com.adito.policyframework.Policy,
* com.adito.permissions.Principal)
*/
public void grantPolicyToPrincipal(Policy policy, Principal principal)
throws Exception {
if (policy.getResourceId() == getEveryonePolicyIDForRealm(principal.getRealm())) {
throw new Exception(
"Cannot grant special Everyone policy to any principal, it is granted by default.");
}
policyCache.clear();
JDBCPreparedStatement ps = db
.getStatement("grantPolicyToPrincipal.insert");
ps.setInt(1, policy.getResourceId());
ps.setString(2, principal.getPrincipalName());
ps.setInt(3, (principal instanceof User) ? Policy.PRINCIPAL_USER
: Policy.PRINCIPAL_GROUP);
try {
ps.execute();
} finally {
ps.releasePreparedStatement();
}
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#revokePolicyFromPrincipal(com.adito.policyframework.Policy,
* com.adito.permissions.Principal)
*/
public void revokePolicyFromPrincipal(Policy policy, Principal principal)
throws Exception {
if (policy.getResourceId() == getEveryonePolicyIDForRealm(principal.getRealm())) {
throw new Exception(
"Cannot revoke special Everyone policy from any principal.");
}
policyCache.clear();
JDBCPreparedStatement ps = db
.getStatement("revokePolicyFromPrincipal.delete");
ps.setInt(1, policy.getResourceId());
ps.setString(2, principal.getPrincipalName());
ps.setInt(3, (principal instanceof User) ? Policy.PRINCIPAL_USER
: Policy.PRINCIPAL_GROUP);
try {
ps.execute();
} finally {
ps.releasePreparedStatement();
}
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#revokeAllPoliciesFromPrincipal(com.adito.permissions.Principal)
*/
public void revokeAllPoliciesFromPrincipal(Principal principal)
throws Exception {
policyCache.clear();
JDBCPreparedStatement ps = db
.getStatement("revokeAllPoliciesFromPrincipal.delete");
ps.setString(1, principal.getPrincipalName());
try {
ps.execute();
} finally {
ps.releasePreparedStatement();
}
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#revokeAllPoliciesFromPrincipals(com.adito.realms.Realm)
*/
public void revokeAllPoliciesFromPrincipals(Realm realm) throws Exception {
policyCache.clear();
JDBCPreparedStatement ps = db.getStatement("revokeAllPoliciesFromPrincipals.delete");
try {
ps.execute();
} finally {
ps.releasePreparedStatement();
}
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#attachResourceToPolicy(com.adito.policyframework.Resource, com.adito.policyframework.Policy, int)
*/
public void attachResourceToPolicy(Resource resource, Policy policy, int sequence, Realm realm)
throws Exception {
policyCache.clear();
JDBCPreparedStatement ps = db
.getStatement("attachResourceToPolicy.insert");
ps.setInt(1, resource.getResourceId());
ps.setInt(2, resource.getResourceType().getResourceTypeId());
ps.setInt(3, policy.getResourceId());
ps.setInt(4, sequence);
ps.setInt(5, realm.getResourceId());
try {
ps.execute();
} finally {
ps.releasePreparedStatement();
}
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#detachResourceFromPolicy(com.adito.policyframework.Resource,
* com.adito.policyframework.Policy)
*/
public void detachResourceFromPolicy(Resource resource, Policy policy, Realm realm)
throws Exception {
policyCache.clear();
JDBCPreparedStatement ps = db
.getStatement("detachResourceFromPolicy.delete");
ps.setInt(1, resource.getResourceId());
ps.setInt(2, resource.getResourceType().getResourceTypeId());
ps.setInt(3, policy.getResourceId());
ps.setInt(4, realm.getResourceId());
try {
ps.execute();
} finally {
ps.releasePreparedStatement();
}
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#isResourceAttachedToPolicy(com.adito.policyframework.Resource,
* com.adito.policyframework.Policy)
*/
public boolean isResourceAttachedToPolicy(Resource resource, Policy policy, Realm realm)
throws Exception {
String cacheKey = "resourcePolicy-" + resource.getResourceId() + "-"
+ resource.getResourceType().getResourceTypeId() + "-"
+ policy.getResourceId();
Boolean val = (Boolean) policyCache.retrieve(cacheKey);
if (val == null) {
JDBCPreparedStatement ps = db
.getStatement("isResourceAttachedToPolicy.select");
ps.setInt(1, resource.getResourceId());
ps.setInt(2, resource.getResourceType().getResourceTypeId());
ps.setInt(3, policy.getResourceId());
ps.setInt(4, realm.getResourceId());
try {
ResultSet rs = ps.executeQuery();
try {
val = new Boolean(rs.next());
} finally {
rs.close();
}
} finally {
ps.releasePreparedStatement();
}
storeToCache(cacheKey, val);
}
return val.booleanValue();
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#isPrincipalAllowed(com.adito.policyframework.Principal, com.adito.policyframework.Resource, boolean)
*/
public boolean isPrincipalAllowed(Principal principal, Resource resource,
boolean includeSuperUser) throws Exception {
String cacheKey = "principalAllowed-" + principal.getPrincipalName() + "-realmID-" + principal.getRealm().getResourceId()
+ "-" + resource.getResourceId() + "-"
+ resource.getResourceType().getResourceTypeId() + "-"
+ includeSuperUser;
Boolean val = (Boolean) policyCache.retrieve(cacheKey);
if (val == null) {
if (principal instanceof User && includeSuperUser) {
if (LogonControllerFactory.getInstance()
.isAdministrator((User) principal)) {
val = Boolean.TRUE;
storeToCache(cacheKey, val);
return val.booleanValue();
}
}
Policy p = getGrantingPolicy(principal, resource);
val = p == null ? Boolean.FALSE : Boolean.TRUE;
storeToCache(cacheKey, val);
}
return val.booleanValue();
}
/*
* (non-Javadoc)
*
* @see com.adito.boot.Database#cleanup()
*/
public void cleanup() throws Exception {
policyCache.clear();
}
/*
* (non-Javadoc)
*
* @see com.adito.boot.Database#open(javax.servlet.ServletContext)
*/
public void open(CoreServlet controllingServlet) throws Exception {
String dbName = SystemProperties.get(
"adito.policyDatabase.jdbc.dbName",
"explorer_configuration");
controllingServlet.addDatabase(dbName, ContextHolder.getContext().getDBDirectory());
String jdbcUser = SystemProperties.get("adito.jdbc.username", "sa");
String jdbcPassword = SystemProperties.get("adito.jdbc.password",
"");
String vendorDB = SystemProperties.get("adito.jdbc.vendorClass",
"com.adito.jdbc.hsqldb.HSQLDBDatabaseEngine");
if (log.isInfoEnabled()) {
log.info("Policy database is being opened...");
log.info("JDBC vendor class implementation is " + vendorDB);
}
File upgradeDir = new File("install/upgrade");
db = (JDBCDatabaseEngine) Class.forName(vendorDB).newInstance();
db.init("policyDatabase", dbName, jdbcUser, jdbcPassword, null);
DBUpgrader upgrader = new DBUpgrader(ContextHolder.getContext()
.getVersion(), db, ContextHolder.getContext().getDBDirectory(),
upgradeDir);
upgrader.upgrade();
policyCache = new SimpleCache(new MemoryStash(CACHE_MAXOBJS.intValue()));
CoreServlet.getServlet().addCoreListener(new CoreListener() {
public void coreEvent(CoreEvent evt) {
if (evt.getId() == CoreEventConstants.USER_CREATED
|| evt.getId() == CoreEventConstants.USER_EDITED
|| evt.getId() == CoreEventConstants.USER_REMOVED
|| evt.getId() == CoreEventConstants.GROUP_CREATED
|| evt.getId() == CoreEventConstants.GROUP_REMOVED) {
policyCache.clear();
}
}
});
}
/*
* (non-Javadoc)
*
* @see com.adito.boot.Database#close()
*/
public void close() throws Exception {
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#getPoliciesAttachedToResource(com.adito.boot.policyframework.Resource)
*/
public List<Policy> getPoliciesAttachedToResource(Resource resource, Realm realm)
throws Exception {
String cacheKey = "resourcePolicies-" + resource.getResourceId() + "-"
+ resource.getResourceType().getResourceTypeId() + "-realmID-" + realm.getResourceId();
List<Policy> l = (List<Policy>) policyCache.retrieve(cacheKey);
if (l == null) {
// Get the top level policy
JDBCPreparedStatement ps = db
.getStatement("getPoliciesAttachedToResource.select");
ps.setInt(1, resource.getResourceId());
ps.setInt(2, resource.getResourceType().getResourceTypeId());
ps.setInt(3, realm.getResourceId());
l = new ArrayList<Policy>();
try {
ResultSet rs = ps.executeQuery();
while (rs.next()) {
l.add(buildPolicy(rs));
}
storeToCache(cacheKey, (Serializable) l);
} finally {
ps.releasePreparedStatement();
}
}
return l;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#getPrincipalsGrantedPolicy(com.adito.policyframework.Policy, com.adito.realms.Realm)
*/
public List<Principal> getPrincipalsGrantedPolicy(Policy policy, Realm realm) throws Exception {
String cacheKey = "policyPrincipals-" + policy.getResourceId();
List<Principal> l = (List<Principal>) policyCache.retrieve(cacheKey);
if (l == null) {
l = new ArrayList<Principal>();
UserDatabase udb = UserDatabaseManager.getInstance().getUserDatabase(realm);
if (policy.getResourceId() == getEveryonePolicyIDForRealm(realm)) {
return Collections.<Principal>emptyList();
} else {
JDBCPreparedStatement ps = db
.getStatement("getPrincipalsGrantedPolicy.select");
ps.setInt(1, policy.getResourceId());
try {
ResultSet rs = ps.executeQuery();
while (rs.next()) {
String principalId = rs.getString("principal_id");
int princpalType = rs.getInt("principal_type");
Principal p = null;
if (princpalType == Policy.PRINCIPAL_USER) {
try {
p = udb.getAccount(principalId);
}
catch(UserNotFoundException unfe) {
// User no longer exists, just place a warning in the logs
}
} else {
try {
p = udb.getRole(principalId);
} catch (Exception expt) {
// Role no longer exists, just place a warning in the logs
}
}
if (p == null) {
log
.warn("An invalid principal is attached to policy "
+ policy.getResourceId()
+ ". This may happen if you switch user databases or remove users from an external userdatabase. Ignoring.");
} else {
l.add(p);
}
}
} finally {
ps.releasePreparedStatement();
}
}
storeToCache(cacheKey, (Serializable) l);
}
return l;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#revokePolicyFromAllPrincipals(com.adito.policyframework.Policy, com.adito.realms.Realm)
*/
public void revokePolicyFromAllPrincipals(Policy policy, Realm realm) throws Exception {
if (policy.getResourceId() == getEveryonePolicyIDForRealm(realm)) {
throw new Exception(
"Cannot revoke special Everyone policy from all principals.");
}
policyCache.clear();
JDBCPreparedStatement ps2 = db
.getStatement("revokePolicyFromAllPrincipals.delete");
ps2.setInt(1, policy.getResourceId());
try {
ps2.execute();
} finally {
ps2.releasePreparedStatement();
}
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#createResourcePermission(com.adito.policyframework.ResourcePermission)
*/
public AccessRights createAccessRights(
AccessRights resourcePermission) throws Exception {
policyCache.clear();
JDBCPreparedStatement ps = db
.getStatement("createResourcePermission.insert");
ps.startTransaction();
ps.setString(1, resourcePermission.getResourceName());
ps.setString(2, resourcePermission.getAccessRightsClass());
ps.setString(3, resourcePermission.getResourceDescription());
ps.setTimestamp(4, resourcePermission.getDateCreated());
ps.setTimestamp(5, resourcePermission.getDateAmended());
ps.setInt(6, resourcePermission.getRealmID());
try {
try {
ps.execute();
int id = db.getLastInsertId(ps,
"createResourcePermission.lastInsertId");
resourcePermission.setResourceId(id);
updateResourcePermissionRelationships(ps, resourcePermission);
ps.commit();
return resourcePermission;
} finally {
ps.releasePreparedStatement();
}
} catch (Exception e) {
ps.rollback();
throw e;
} finally {
ps.endTransaction();
}
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#getResourcePermissions()
*/
public List<AccessRights> getAccessRights() throws Exception {
String cacheKey = "resourcePermissions";
List<AccessRights> val = (List<AccessRights>) policyCache.retrieve(cacheKey);
if (val == null) {
JDBCPreparedStatement ps = db
.getStatement("getResourcePermissions.select");
try {
ResultSet rs = ps.executeQuery();
val = buildResourcePermission(rs);
} finally {
ps.releasePreparedStatement();
}
}
return val;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#getPolicyByName(java.lang.String, int)
*/
public Policy getPolicyByName(String name, int realmID) throws Exception {
String cacheKey = "policyByName-" + name;
Policy pol = (Policy) policyCache.retrieve(cacheKey);
if (pol == null) {
JDBCPreparedStatement ps = db
.getStatement("getPolicyByName.selectByName");
ps.setString(1, name);
ps.setInt(2, realmID);
try {
ResultSet rs = ps.executeQuery();
if (rs.next()) {
pol = buildPolicy(rs);
}
} finally {
ps.releasePreparedStatement();
}
if (pol != null) {
storeToCache(cacheKey, pol);
}
}
return pol;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#getAccessRightsByName(java.lang.String, int)
*/
public AccessRights getAccessRightsByName(String name, int realmID)
throws Exception {
String cacheKey = "resourcePermissionByName-" + name + "-realm id-" + realmID;
AccessRights resourcePermission = (AccessRights) policyCache
.retrieve(cacheKey);
if (resourcePermission == null) {
JDBCPreparedStatement ps = db
.getStatement("getResourcePermissionByName.select");
ps.setString(1, name);
ps.setInt(2, realmID);
try {
ResultSet rs = ps.executeQuery();
List l = buildResourcePermission(rs);
if (l.size() > 0) {
resourcePermission = (AccessRights) l.get(0);
}
} finally {
ps.releasePreparedStatement();
}
if (resourcePermission != null) {
storeToCache(cacheKey, resourcePermission);
}
}
return resourcePermission;
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#getResourcePermission(int)
*/
public AccessRights getAccessRight(int id) throws Exception {
String cacheKey = "resourcePermission-" + id;
AccessRights resourcePermission = (AccessRights) policyCache
.retrieve(cacheKey);
if (resourcePermission == null) {
JDBCPreparedStatement ps = db
.getStatement("getResourcePermission.select");
ps.setInt(1, id);
try {
ResultSet rs = ps.executeQuery();
List l = buildResourcePermission(rs);
if (l.size() > 0) {
resourcePermission = (AccessRights) l.get(0);
}
} finally {
ps.releasePreparedStatement();
}
if (resourcePermission != null) {
storeToCache(cacheKey, resourcePermission);
}
}
return resourcePermission;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#isAnyAccessRightAllowed(com.adito.security.User, boolean, boolean, boolean)
*/
public boolean isAnyAccessRightAllowed(User user,
boolean delegation, boolean system, boolean personal)
throws Exception {
String cacheKey = "anyResourcePermissionAllowed-"
+ (user == null ? "" : user.getPrincipalName()) + "-"
+ delegation + "-" + system + "-" + personal;
Boolean val = (Boolean) policyCache.retrieve(cacheKey);
if (val == null) {
if (LogonControllerFactory.getInstance().isAdministrator(
user)) {
val = Boolean.TRUE;
} else {
List resourcePermissions = getAccessRights();
AccessRights resourcePermission = null;
for (Iterator i = resourcePermissions.iterator(); val == null
&& i.hasNext();) {
resourcePermission = (AccessRights) i.next();
if (system
&& resourcePermission.getAccessRightsClass().equals(
PolicyConstants.SYSTEM_CLASS)
|| delegation
&& resourcePermission.getAccessRightsClass().equals(
PolicyConstants.DELEGATION_CLASS)
|| personal
&& resourcePermission.getAccessRightsClass().equals(
PolicyConstants.PERSONAL_CLASS))
if (isPrincipalAllowed(user, resourcePermission, true)) {
val = Boolean.TRUE;
}
}
if (val == null) {
val = Boolean.FALSE;
}
}
storeToCache(cacheKey, val);
}
return val.booleanValue();
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#getAnyAccessRightAllowed(com.adito.security.User, boolean, boolean, boolean)
*/
public List<AccessRight> getAnyAccessRightAllowed(User user,
boolean delegation, boolean system, boolean personal)
throws Exception {
String cacheKey = "listResourcePermissionAllowed-"
+ (user == null ? "" : user.getPrincipalName()) + "-"
+ delegation + "-" + system + "-" + personal;
List<AccessRight> listAccessRight;
listAccessRight = (List) policyCache.retrieve(cacheKey);
if (listAccessRight == null) {
listAccessRight = new ArrayList<AccessRight>();
List resourcePermissions = getAccessRights(user.getRealm().getRealmID());
AccessRights resourcePermission = null;
for (Iterator i = resourcePermissions.iterator(); i.hasNext();) {
resourcePermission = (AccessRights) i.next();
if (system && resourcePermission.getAccessRightsClass().equals(PolicyConstants.SYSTEM_CLASS) || delegation
&& resourcePermission.getAccessRightsClass().equals(PolicyConstants.DELEGATION_CLASS) || personal
&& resourcePermission.getAccessRightsClass().equals(PolicyConstants.PERSONAL_CLASS)) {
if (isPrincipalAllowed(user, resourcePermission, true)
|| LogonControllerFactory.getInstance().isAdministrator(user)) {
listAccessRight.addAll(resourcePermission.getAccessRights());
}
}
}
storeToCache(cacheKey, (Serializable) listAccessRight);
}
return listAccessRight;
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#isPermitted(com.adito.policyframework.ResourceType,
* com.adito.policyframework.Permission[],
* com.adito.security.User, boolean)
*/
public boolean isPermitted(ResourceType resourceType,
Permission[] requiredPermissions, User user, boolean all)
throws Exception {
StringBuffer buf = new StringBuffer("resourcePermissionAllowed-");
buf.append(resourceType.getResourceTypeId());
buf.append("-");
if(requiredPermissions != null) {
for (int i = 0; i < requiredPermissions.length; i++) {
buf.append(requiredPermissions[i].getId());
buf.append("-");
}
}
buf.append(user == null ? "" : user.getPrincipalName());
buf.append("-");
buf.append(String.valueOf(all));
String cacheKey = buf.toString();
Boolean val = (Boolean) policyCache.retrieve(cacheKey);
if (val == null) {
if (LogonControllerFactory.getInstance().isAdministrator(
user)) {
val = Boolean.TRUE;
} else {
List resourcePermissions = getAccessRights();
AccessRights resourcePermission = null;
AccessRight permission = null;
// Iterator through all resource permissions
Map<String,Boolean> matched = new HashMap<String,Boolean>();
for (Iterator i = resourcePermissions.iterator(); val == null
&& i.hasNext();) {
resourcePermission = (AccessRights) i.next();
// Iterator through all permissions in the resource
for (Iterator j = resourcePermission.getAccessRights()
.iterator(); val == null && j.hasNext();) {
permission = (AccessRight) j.next();
// Until the resource type matches
if (resourceType.equals(permission.getResourceType())) {
// Check the mask, at least one must match
for (int x = 0; requiredPermissions!=null && x < requiredPermissions.length; x++) {
if (permission.getPermission().getId() == requiredPermissions[x]
.getId()) {
// Check if the user in a policy
if (isPrincipalAllowed(user,
resourcePermission, true)) {
String key = String
.valueOf(requiredPermissions[x]
.getId());
matched.put(key, Boolean.TRUE);
if (!all
|| matched.size() == requiredPermissions.length) {
break;
}
}
}
}
}
}
}
if (all && requiredPermissions!=null && matched.size() == requiredPermissions.length) {
val = Boolean.TRUE;
} else if (!all && matched.size() > 0) {
val = Boolean.TRUE;
} else {
val = Boolean.FALSE;
}
}
storeToCache(cacheKey, val);
}
return val.booleanValue();
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#isPersonalPermitted(com.adito.policyframework.ResourceType, com.adito.policyframework.Permission[], com.adito.security.User, boolean)
*/
public boolean isPersonalPermitted(Resource resource, Permission[] requiredPermissions,
User user) throws Exception {
StringBuffer buf = new StringBuffer("personalResourcePermissionAllowed-");
buf.append(resource.getResourceType().getResourceTypeId());
buf.append("-");
buf.append(resource.getResourceId());
buf.append("-");
if(requiredPermissions != null) {
for (int i = 0; i < requiredPermissions.length; i++) {
buf.append(requiredPermissions[i].getId());
buf.append("-");
}
}
buf.append(user == null ? "" : user.getPrincipalName());
String cacheKey = buf.toString();
Boolean val = (Boolean) policyCache.retrieve(cacheKey);
if (val == null) {
if (LogonControllerFactory.getInstance().isAdministrator(
user)) {
val = Boolean.TRUE;
} else {
val = Boolean.FALSE;
List resourcePermissions = getAccessRights();
AccessRights resourcePermission = null;
AccessRight permission = null;
// Iterator through all resource permissions
for (Iterator i = resourcePermissions.iterator(); !val && i.hasNext();) {
resourcePermission = (AccessRights) i.next();
// Iterator through all permissions in the resource
for (Iterator j = resourcePermission.getAccessRights().iterator(); !val && j.hasNext();) {
permission = (AccessRight) j.next();
// Until the resource type matches
if (resource.getResourceType().equals(permission.getResourceType())) {
for (int x = 0; x < requiredPermissions.length; x++) {
Permission requiredPermission = requiredPermissions[x];
if ((permission.getPermission().getId() == requiredPermission.getId())
&& (requiredPermission.getId() == PolicyConstants.PERM_PERSONAL_CREATE_EDIT_AND_DELETE_ID)) {
List policiesResource = getPoliciesAttachedToResource(resource, user.getRealm());
if (policiesResource.size() != 1) {
val = Boolean.FALSE;
} else {
Policy policy = (Policy) policiesResource.get(0);
Policy policyUser = getGrantingPolicyForUser(user, resource);
if (!policy.equals(policyUser)) {
val = Boolean.FALSE;
} else {
if ((policy.getType() != Policy.TYPE_PERSONAL) || (!policy.getResourceName().equals(PolicyUtil.getPersonalPolicyName(user.getPrincipalName())))) {
val = Boolean.FALSE;
} else {
val = Boolean.TRUE;
break;
}
}
}
} else {
val = Boolean.FALSE;
}
}
}
}
}
}
storeToCache(cacheKey, val);
}
return val.booleanValue();
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#deleteResourcePermission(int)
*/
public AccessRights deleteAccessRights(int id) throws Exception {
policyCache.clear();
AccessRights dr = getAccessRight(id);
if (dr == null) {
throw new Exception(
"Cannot delete a resource permission that doesnt exist");
}
JDBCPreparedStatement ps = db
.getStatement("deleteResourcePermission.delete");
ps.startTransaction();
ps.setInt(1, id);
try {
try {
ps.execute();
deleteResourcePermissionRelationships(ps, id);
ps = db.getStatement(ps,
"deleteResourcePermission.policyRelationship");
ps.setInt(1, id);
ps.setInt(2, dr.getResourceType().getResourceTypeId());
ps.execute();
ps.commit();
} finally {
ps.releasePreparedStatement();
}
} catch (Exception e) {
ps.rollback();
throw e;
} finally {
ps.endTransaction();
}
return dr;
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#updateResourcePermission(com.adito.policyframework.ResourcePermission)
*/
public void updateAccessRights(AccessRights resourcePermission)
throws Exception {
policyCache.clear();
JDBCPreparedStatement ps = db
.getStatement("updateResourcePermission.update");
ps.startTransaction();
ps.setString(1, resourcePermission.getResourceName());
ps.setString(2, resourcePermission.getResourceDescription());
Calendar c = Calendar.getInstance();
ps.setString(3, db.formatTimestamp(c));
ps.setInt(4, resourcePermission.getResourceId());
try {
try {
ps.execute();
updateResourcePermissionRelationships(ps, resourcePermission);
} finally {
ps.releasePreparedStatement();
}
ps.commit();
resourcePermission.setDateAmended(c);
} catch (Exception e) {
ps.rollback();
throw e;
} finally {
ps.endTransaction();
}
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#initResourcePermissions()
*/
public void initAccessRights() throws Exception {
// Has no permission
registerResourceType(PolicyConstants.ACCESS_RIGHTS_RESOURCE_TYPE);
PolicyConstants.ACCESS_RIGHTS_RESOURCE_TYPE.addPermission(PolicyConstants.PERM_CREATE_EDIT_AND_ASSIGN);
PolicyConstants.ACCESS_RIGHTS_RESOURCE_TYPE.addPermission(PolicyConstants.PERM_EDIT_AND_ASSIGN);
PolicyConstants.ACCESS_RIGHTS_RESOURCE_TYPE.addPermission(PolicyConstants.PERM_ASSIGN);
PolicyConstants.ACCESS_RIGHTS_RESOURCE_TYPE.addPermission(PolicyConstants.PERM_DELETE);
// -- Resource Permissions
// Policy
registerResourceType(PolicyConstants.POLICY_RESOURCE_TYPE);
PolicyConstants.POLICY_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CREATE_EDIT_AND_ASSIGN);
PolicyConstants.POLICY_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_EDIT_AND_ASSIGN);
PolicyConstants.POLICY_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_DELETE);
PolicyConstants.POLICY_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_ASSIGN);
// Profile
registerResourceType(PolicyConstants.PROFILE_RESOURCE_TYPE);
PolicyConstants.PROFILE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CREATE_EDIT_AND_ASSIGN);
PolicyConstants.PROFILE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_EDIT_AND_ASSIGN);
PolicyConstants.PROFILE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_DELETE);
PolicyConstants.PROFILE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_ASSIGN);
// -- System Resource Permissions
// Shutdown
registerResourceType(PolicyConstants.SERVICE_CONTROL_RESOURCE_TYPE);
PolicyConstants.SERVICE_CONTROL_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_SHUTDOWN);
PolicyConstants.SERVICE_CONTROL_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_RESTART);
// System Configuration
registerResourceType(PolicyConstants.SYSTEM_CONFIGURATION_RESOURCE_TYPE);
PolicyConstants.SYSTEM_CONFIGURATION_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CHANGE);
// Keystore
registerResourceType(PolicyConstants.KEYSTORE_RESOURCE_TYPE);
PolicyConstants.KEYSTORE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CHANGE);
// Authentication Schemes
registerResourceType(PolicyConstants.AUTHENTICATION_SCHEMES_RESOURCE_TYPE);
PolicyConstants.AUTHENTICATION_SCHEMES_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CREATE_EDIT_AND_ASSIGN);
PolicyConstants.AUTHENTICATION_SCHEMES_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_EDIT_AND_ASSIGN);
PolicyConstants.AUTHENTICATION_SCHEMES_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_ASSIGN);
PolicyConstants.AUTHENTICATION_SCHEMES_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_DELETE);
// Accounts
registerResourceType(PolicyConstants.ACCOUNTS_AND_GROUPS_RESOURCE_TYPE);
PolicyConstants.ACCOUNTS_AND_GROUPS_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CREATE_EDIT_AND_ASSIGN);
PolicyConstants.ACCOUNTS_AND_GROUPS_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_DELETE);
// IP Restrictions
registerResourceType(PolicyConstants.IP_RESTRICTIONS_RESOURCE_TYPE);
PolicyConstants.IP_RESTRICTIONS_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CREATE);
PolicyConstants.IP_RESTRICTIONS_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_DELETE);
PolicyConstants.IP_RESTRICTIONS_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_EDIT);
// Extensions
registerResourceType(PolicyConstants.EXTENSIONS_RESOURCE_TYPE);
PolicyConstants.EXTENSIONS_RESOURCE_TYPE.addPermission(PolicyConstants.PERM_CHANGE);
// Message Queue
registerResourceType(PolicyConstants.MESSAGE_QUEUE_RESOURCE_TYPE);
PolicyConstants.MESSAGE_QUEUE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_VIEW);
PolicyConstants.MESSAGE_QUEUE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CLEAR);
PolicyConstants.MESSAGE_QUEUE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CONTROL);
PolicyConstants.MESSAGE_QUEUE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_SEND);
// Status
registerResourceType(PolicyConstants.STATUS_TYPE_RESOURCE_TYPE);
PolicyConstants.STATUS_TYPE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_VIEW);
// Replacement
registerResourceType(PolicyConstants.REPLACEMENTS_RESOURCE_TYPE);
PolicyConstants.REPLACEMENTS_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CHANGE);
// Attributes
registerResourceType(PolicyConstants.ATTRIBUTE_DEFINITIONS_RESOURCE_TYPE);
PolicyConstants.ATTRIBUTE_DEFINITIONS_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_MAINTAIN);
registerResourceType(PolicyConstants.ATTRIBUTES_RESOURCE_TYPE);
PolicyConstants.ATTRIBUTES_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_MAINTAIN);
// -- Personal Resource Permissions
// Profile
registerResourceType(PolicyConstants.PERSONAL_PROFILE_RESOURCE_TYPE);
PolicyConstants.PERSONAL_PROFILE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_MAINTAIN);
// Password
registerResourceType(PolicyConstants.PASSWORD_RESOURCE_TYPE);
PolicyConstants.PASSWORD_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CHANGE);
// VPN Client
registerResourceType(PolicyConstants.AGENT_RESOURCE_TYPE);
PolicyConstants.AGENT_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_USE);
// VPN Client
registerResourceType(PolicyConstants.LANGUAGE_RESOURCE_TYPE);
PolicyConstants.LANGUAGE_RESOURCE_TYPE
.addPermission(PolicyConstants.PERM_CHANGE);
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#getGrantedResourcesOfType(com.adito.permissions.Principal,
* com.adito.boot.policyframework.ResourceType)
*/
public List<Integer> getGrantedResourcesOfType(Principal principal, ResourceType type)
throws Exception {
String cacheKey = "grantedResourcesOfType-"
+ principal.getPrincipalName() + "-" + principal.getRealm().getResourceId() + "-" + type.getResourceTypeId();
Set<Integer> resourceIds = (Set<Integer>) policyCache.retrieve(cacheKey);
if (resourceIds == null) {
JDBCPreparedStatement ps = null;
resourceIds = new HashSet<Integer>();
try {
ps = db.getStatement("getGrantedResourcesOfType.select");
ps.setInt(1, type.getResourceTypeId());
ps.setString(2, principal.getPrincipalName());
ps.setInt(3, principal instanceof User ? Policy.PRINCIPAL_USER
: Policy.PRINCIPAL_GROUP);
ps.setInt(4, type.getResourceTypeId());
ps.setInt(5, principal.getRealm().getResourceId());
ResultSet rs = ps.executeQuery();
while (rs.next()) {
resourceIds.add(new Integer(rs.getInt("resource_id")));
}
if (principal instanceof User) {
// Now try roles
Role[] r = ((User) principal).getRoles();
if (r != null) {
for (int i = 0; i < r.length; i++) {
if (r[i] == null) {
log.warn("NULL role in principal "
+ principal.getPrincipalName());
continue;
}
ps.reset();
ps = db
.getStatement("getGrantedResourcesOfType.select");
ps.setInt(1, type.getResourceTypeId());
ps.setString(2, r[i].getPrincipalName());
ps.setInt(3, Policy.PRINCIPAL_GROUP);
ps.setInt(4, type.getResourceTypeId());
ps.setInt(5, principal.getRealm().getResourceId());
try {
rs = ps.executeQuery();
while (rs.next()) {
resourceIds.add(new Integer(rs
.getInt("resource_id")));
}
} finally {
ps.releasePreparedStatement();
}
}
}
}
} finally {
if (ps != null) {
ps.releasePreparedStatement();
}
}
storeToCache(cacheKey, (Serializable) resourceIds);
}
return new ArrayList<Integer>(resourceIds);
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#isPrincipalGrantedResourcesOfType(com.adito.permissions.Principal,
* com.adito.boot.policyframework.ResourceType, java.util.List)
*/
public boolean isPrincipalGrantedResourcesOfType(Principal principal,
ResourceType resourceRequired, List resourceTypesToExclude)
throws Exception {
String cacheKey = "isGrantedResourceOfType-"
+ principal.getPrincipalName()
+ "-"
+ (resourceRequired == null ? "" : String
.valueOf(resourceRequired.getResourceTypeId()));
Boolean val = (Boolean) policyCache.retrieve(cacheKey);
if (val == null) {
JDBCPreparedStatement ps = null;
if (resourceRequired == null) {
// Is the user granted ANY resources of ANY type
ps = db.getStatement("isPrincipalGranted.selectAny");
ps.setString(1, principal.getPrincipalName());
ps.setInt(2, principal instanceof User ? Policy.PRINCIPAL_USER
: Policy.PRINCIPAL_GROUP);
ps.setInt(3, principal.getRealm().getResourceId());
} else {
// Is the user granted ANY resources of a particular type
ps = db.getStatement("isPrincipalGranted.selectType");
ps.setInt(1, resourceRequired.getResourceTypeId());
ps.setString(2, principal.getPrincipalName());
ps.setInt(3, principal instanceof User ? Policy.PRINCIPAL_USER
: Policy.PRINCIPAL_GROUP);
ps.setInt(4, resourceRequired.getResourceTypeId());
ps.setInt(5, principal.getRealm().getResourceId());
}
try {
ResultSet rs = ps.executeQuery();
// First check the if provided principal has access
while (true) {
if (rs.next()) {
if (resourceTypesToExclude == null
|| resourceTypesToExclude.size() == 0) {
val = Boolean.TRUE;
break;
}
int rtn = rs.getInt("resource_type");
ResourceType rt = getResourceType(rtn);
if (rt == null) {
log
.warn("Failed to locate resource type with ID of "
+ rtn
+ ". Its possible this was created by a plugin which is no longer available.");
} else {
if (!resourceTypesToExclude.contains(rt)) {
val = Boolean.TRUE;
break;
}
}
} else {
break;
}
}
// If the principal is a user, the get their roles and check
// those as well
if (val == null && principal instanceof User) {
// Now try roles
Role[] r = ((User) principal).getRoles();
if (r != null) {
for (int i = 0; val == null && i < r.length; i++) {
if (r[i] == null) {
log.warn("NULL role in principal "
+ principal.getPrincipalName());
continue;
}
ps.reset();
if (resourceRequired == null) {
ps = db
.getStatement("isPrincipalGranted.selectAny");
ps.setString(1, r[i].getPrincipalName());
ps.setInt(2, Policy.PRINCIPAL_GROUP);
ps.setInt(3, principal.getRealm().getResourceId());
} else {
ps = db
.getStatement("isPrincipalGranted.selectType");
ps.setInt(1, resourceRequired
.getResourceTypeId());
ps.setString(2, r[i].getPrincipalName());
ps.setInt(3, Policy.PRINCIPAL_GROUP);
ps.setInt(4, resourceRequired
.getResourceTypeId());
ps.setInt(5, principal.getRealm().getResourceId());
}
try {
rs = ps.executeQuery();
while (true) {
if (rs.next()) {
if (resourceTypesToExclude == null
|| resourceTypesToExclude
.size() == 0) {
val = Boolean.TRUE;
break;
}
int rtn = rs.getInt("resource_type");
ResourceType rt = getResourceType(rtn);
if (rt == null) {
log
.warn("Failed to locate resource type with ID of "
+ rtn
+ ". Its possible this was created by a plugin which is no longer available.");
} else {
if (!resourceTypesToExclude
.contains(rt)) {
val = Boolean.TRUE;
break;
}
}
} else {
break;
}
}
} finally {
ps.releasePreparedStatement();
}
}
}
}
} finally {
ps.releasePreparedStatement();
}
if (val == null) {
val = Boolean.FALSE;
}
storeToCache(cacheKey, val);
}
return val.booleanValue();
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#getPoliciesOfDelegatedAccessRights(com.adito.policyframework.ResourceType, java.lang.String, com.adito.security.User, boolean)
*/
public List<Policy> getPoliciesOfDelegatedAccessRights(
ResourceType resourceType, String permissionClass, User user) throws Exception {
StringBuffer buf = new StringBuffer(
"policiesOfDelegatedResourcePermissions");
if (resourceType != null) {
buf.append("-");
buf.append(resourceType.getResourceTypeId());
}
if (permissionClass != null) {
buf.append("-");
buf.append(permissionClass);
}
buf.append("-");
buf.append(user.getPrincipalName());
String cacheKey = buf.toString();
List<Policy> l = (List<Policy>) policyCache.retrieve(cacheKey);
if (l == null) {
l = new ArrayList<Policy>();
List resourcePermissions = getAccessRights();
AccessRights resourcePermission = null;
AccessRight accessRight = null;
for (Iterator i = resourcePermissions.iterator(); i.hasNext();) {
resourcePermission = (AccessRights) i.next();
if (isPrincipalAllowed(user, resourcePermission, true)) {
if (permissionClass == null
|| permissionClass.equals(resourcePermission
.getAccessRightsClass())) {
for (Iterator j = resourcePermission.getAccessRights()
.iterator(); j.hasNext();) {
accessRight = (AccessRight) j
.next();
if (resourceType == null
|| resourceType
.equals(accessRight
.getResourceType())) {
// LDP - Add the policies attached to a resource
// as well
List del = getPoliciesAttachedToResource(resourcePermission, user.getRealm());
for (Iterator k = del.iterator(); k.hasNext();) {
Policy p = (Policy) k.next();
if (!l.contains(p)) {
l.add(p);
}
}
break;
}
}
}
}
}
storeToCache(cacheKey, (Serializable) l);
}
return l;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#getPermittingAccessRights(com.adito.policyframework.ResourceType, com.adito.policyframework.Permission, java.lang.String, com.adito.security.User, boolean, boolean, boolean, com.adito.realms.Realm)
*/
public List<AccessRights> getPermittingAccessRights(ResourceType resourceType,
Permission permission, String permissionClass, User user) throws Exception {
String cacheKey = "permittingResourcePermissions-"
+ (resourceType == null ? "" : String.valueOf(resourceType
.getResourceTypeId()))
+ "-"
+ (permission == null ? "" : String.valueOf(permission.getId()))
+ "-" + (permissionClass == null ? "" : permissionClass) + "-"
+ user.getPrincipalName();
List<AccessRights> l = (List<AccessRights>) policyCache.retrieve(cacheKey);
if (l == null) {
l = new ArrayList<AccessRights>();
List resourcePermissions = getAccessRights();
AccessRights resourcePermission = null;
AccessRight accessRight = null;
/*
* First iterate through all of the resource permissions looking for
* what is visible at the top level.
*/
for (Iterator i = resourcePermissions.iterator(); i.hasNext();) {
resourcePermission = (AccessRights) i.next();
if (permissionClass == null
|| permissionClass.equals(resourcePermission
.getAccessRightsClass())) {
// Check the user is allowed
if (isPrincipalAllowed(
user, resourcePermission, true)) {
// Iterator through all permissions in the resource
for (Iterator j = resourcePermission
.getAccessRights().iterator(); j.hasNext();) {
accessRight = (AccessRight) j
.next();
// Until the resource type matches
if (resourceType == null
|| resourceType
.equals(accessRight
.getResourceType())) {
// Until at least one permission matches
if (permission == null
|| permission.getId() == accessRight
.getPermission()
.getId()) {
l.add(resourcePermission);
break;
}
}
}
}
}
}
// Sort and cache
Collections.sort(resourcePermissions);
storeToCache(cacheKey, (Serializable) l);
}
return l;
}
/*
* (non-Javadoc)
*
* @see com.adito.policyframework.PolicyDatabase#getResourcePermissions(com.adito.boot.policyframework.ResourceType,
* com.adito.boot.policyframework.Permission, java.lang.String,
* com.adito.security.User)
*/
public List<AccessRights> getAccessRights(ResourceType resourceType,
Permission permission, String permissionClass, User user)
throws Exception {
StringBuffer buf = new StringBuffer("permission");
if (resourceType != null) {
buf.append("-");
buf.append(resourceType.getResourceTypeId());
}
if (permission != null) {
buf.append("-");
buf.append(permission.getId());
}
if (permissionClass != null) {
buf.append("-");
buf.append(permissionClass);
}
buf.append("-");
buf.append(user.getPrincipalName());
String cacheKey = buf.toString();
List<AccessRights> n = (List<AccessRights>) policyCache.retrieve(cacheKey);
if (n == null) {
ArrayList<AccessRights> l = new ArrayList<AccessRights>();
boolean superUser = LogonControllerFactory.getInstance()
.isAdministrator(user);
List allAccessRights = getAccessRights();
AccessRights accessRights = null;
AccessRight accessRight = null;
/*
* First iterate through all of the resource permissions looking for
* what is visible at the top level.
*/
for (Iterator i = allAccessRights.iterator(); i.hasNext();) {
accessRights = (AccessRights) i.next();
if (permissionClass == null || permissionClass.equals(accessRights.getAccessRightsClass())) {
// Check the user is allowed
if (isPrincipalAllowed(user, accessRights, true)) {
// Iterator through all permissions in the resource
for (Iterator j = accessRights.getAccessRights().iterator(); j.hasNext();) {
accessRight = (AccessRight) j.next();
// Until the resource type matches
if (resourceType == null || resourceType.equals(accessRight.getResourceType())) {
// Until at least one permission matches
if (permission == null || permission.getId() == accessRight.getPermission().getId()) {
l.add(accessRights);
break;
}
}
}
}
}
}
/*
* Now iterate again, also adding resource permissions that have one
* of the top level resources permissions as parent.
*/
if (!superUser) { // Super user should already have all resource
// permissions anyway() + ")");
n = new ArrayList<AccessRights>();
for (Iterator i = allAccessRights.iterator(); i.hasNext();) {
accessRights = (AccessRights) i.next();
if (!l.contains(accessRights)) {
n.add(accessRights);
}
}
} else {
n = l;
}
// Sort and cache
Collections.sort(n);
storeToCache(cacheKey, (Serializable) n);
}
return n;
}
void deleteResourcePermissionRelationships(JDBCPreparedStatement ps, int id)
throws Exception {
try {
ps = db
.getStatement("deleteResourcePermissionRelationships.delete");
ps.setInt(1, id);
ps.execute();
} finally {
ps.releasePreparedStatement();
}
}
boolean checkPolicy(Policy policy, Resource resource, Principal principal)
throws Exception {
List principals = getPrincipalsGrantedPolicy(policy, principal.getRealm());
for (Iterator i = principals.iterator(); i.hasNext();) {
Principal p = (Principal) i.next();
if (p.equals(principal)) {
return true;
}
}
return false;
}
void storeToCache(String key, Serializable object) {
if (log.isDebugEnabled()) {
log.debug("Caching under " + key + ", ttl=" + CACHE_TTL + ", cost="
+ CACHE_COST);
}
// NOTE Temporary code to make sure policy objects are serializable, in development and testing
if ("true".equals(SystemProperties.get("adito.useDevConfig")) | "true".equals(SystemProperties.get("adito.testing"))) {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
try {
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(object);
} catch (Exception e) {
String string = "********** Failed to cache policy database object. There is probably a non-serializable object somewhere in the object graph. PLEASE FIX ME ****************";
System.err
.println(string);
e.printStackTrace();
throw new RuntimeException(string);
}
}
policyCache.store(key, object, new Long(CACHE_TTL.longValue()
+ System.currentTimeMillis()), CACHE_COST);
if (log.isDebugEnabled()) {
log.debug("NUM_RETRIEVE_REQUESTED "
+ policyCache.getStat(CacheStat.NUM_RETRIEVE_REQUESTED));
log.debug("NUM_RETRIEVE_FOUND "
+ policyCache.getStat(CacheStat.NUM_RETRIEVE_FOUND));
log.debug("NUM_RETRIEVE_NOT_FOUND "
+ policyCache.getStat(CacheStat.NUM_RETRIEVE_NOT_FOUND));
log.debug("NUM_STORE_REQUESTED "
+ policyCache.getStat(CacheStat.NUM_STORE_REQUESTED));
log.debug("NUM_STORE_STORED "
+ policyCache.getStat(CacheStat.NUM_STORE_STORED));
log.debug("NUM_STORE_NOT_STORED "
+ policyCache.getStat(CacheStat.NUM_STORE_NOT_STORED));
log.debug("CUR_CAPACITY "
+ policyCache.getStat(CacheStat.CUR_CAPACITY));
}
}
Policy buildPolicy(ResultSet rs) throws Exception {
Timestamp cd = rs.getTimestamp("date_created");
Calendar c = Calendar.getInstance();
c.setTimeInMillis(cd == null ? System.currentTimeMillis() : cd
.getTime());
Timestamp ad = rs.getTimestamp("date_amended");
Calendar a = Calendar.getInstance();
a.setTimeInMillis(ad == null ? System.currentTimeMillis() : ad
.getTime());
return new DefaultPolicy(rs.getInt("id"), rs.getString("policy_name"),
rs.getString("policy_description"),
rs.getInt("policy_type_id"), c, a, rs.getInt("realm_id"));
}
List<AccessRights> buildResourcePermission(ResultSet resultSet) throws Exception {
List<AccessRight> permissions = null;
AccessRights accessRights = null;
List<AccessRights> accessRightsList = new ArrayList<AccessRights>();
int lastId = -1;
while (resultSet.next()) {
int resourceId = resultSet.getInt("resource_id");
int realmID = resultSet.getInt("realm_id");
if (resourceId != lastId) {
permissions = new ArrayList<AccessRight>();
Calendar dateCreated = JDBCUtil.getCalendar(resultSet, "date_created");
Calendar dateAmended = JDBCUtil.getCalendar(resultSet, "date_amended");
String resourceName = resultSet.getString("resource_name");
String resourceDescription = resultSet.getString("resource_description");
String resourceClass = resultSet.getString("resource_class");
accessRights = new DefaultAccessRights(realmID, resourceId, resourceName, resourceDescription, permissions,
resourceClass, dateCreated, dateAmended);
accessRightsList.add(accessRights);
lastId = resourceId;
}
// check to see if the access right has any permissions
if (!JDBCUtil.isNull(resultSet, "resource_type_id")) {
int resourceTypeId = resultSet.getInt("resource_type_id");
ResourceType resourceType = getResourceType(resourceTypeId);
if (resourceType == null) {
log.warn("No resource type with Id of " + resourceTypeId + " for resource permission " + resourceId
+ ", ignoring");
} else {
int permissionId = resultSet.getInt("permission_id");
Permission permission = resourceType.getPermission(permissionId);
if (permission == null) {
log.warn("No permission with Id of " + permissionId + " for resource type " + resourceTypeId
+ " and resource permission " + resourceId + ", ignoring");
} else {
AccessRight accessRight = new AccessRight(resourceType, permission);
permissions.add(accessRight);
}
}
} else {
log.debug("Access Rights with name " + accessRights.getResourceName() + " has no permissions.");
}
}
return accessRightsList;
}
void updateResourcePermissionRelationships(JDBCPreparedStatement ps,
AccessRights dr) throws Exception {
deleteResourcePermissionRelationships(ps, dr.getResourceId());
for (Iterator i = dr.getAccessRights().iterator(); i.hasNext();) {
AccessRight perm = (AccessRight) i
.next();
JDBCPreparedStatement ps2 = db
.getStatement("updateResourcePermission.insertPermissions");
try {
ps2.setInt(1, dr.getResourceId());
ps2.setInt(2, perm.getResourceType().getResourceTypeId());
ps2.setInt(3, perm.getPermission().getId());
ps2.execute();
} finally {
ps2.releasePreparedStatement();
}
}
}
public int getEveryonePolicyIDForRealm(Realm realm) throws Exception {
int id = 0;
JDBCPreparedStatement ps = db.getStatement("select.everyone.policy.id");
ps.setString(1, PolicyConstants.EVERYONE_POLICY_NAME);
ps.setInt(2, realm.getResourceId());
try {
ResultSet rs = ps.executeQuery();
if (rs.next()) {
id = rs.getInt("ID");
}
} finally {
ps.releasePreparedStatement();
}
return id;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#isResourceInRealm(com.adito.policyframework.Resource, com.adito.realms.Realm)
*/
public boolean isResourceInRealm(Resource resource, Realm realm) throws Exception {
JDBCPreparedStatement ps = db.getStatement("is.resource.in.realm");
ps.setInt(1, resource.getResourceId());
ps.setInt(2, resource.getResourceType().getResourceTypeId());
ps.setInt(3, realm.getResourceId());
try {
ResultSet rs = ps.executeQuery();
if (rs.next()) {
return true;
}
} finally {
ps.releasePreparedStatement();
}
return false;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#getGrantingPolicyForUser(com.adito.security.User, com.adito.policyframework.Resource)
*/
public Policy getGrantingPolicyForUser(User user, Resource resource) throws Exception {
Policy policy = null;
if((policy = getGrantingPolicy(user, resource))==null) {
Role[] roles = user.getRoles();
for(int i=0;i<roles.length;i++) {
if((policy = getGrantingPolicy(roles[i], resource))!=null) {
break;
}
}
}
return policy;
}
/**
* Get the policy thats grants the specified principal access to the
* specified resource.
*
* @param principal principal
* @param resource resource
* @return policy that grants access or <code>null</code> if no policy grants access
* @throws Exception on any error
*/
private Policy getGrantingPolicy(Principal principal, Resource resource) throws Exception {
String cacheKey = "grantingPolicy-" + principal.getPrincipalName() + "-realmID-" + principal.getRealm().getResourceId()
+ "-" + resource.getResourceId() + "-"
+ resource.getResourceType().getResourceTypeId();
Policy val = (Policy) policyCache.retrieve(cacheKey);
if (val == null) {
List policies = getPoliciesAttachedToResource(resource, principal.getRealm());
for (Iterator i = policies.iterator(); val == null && i.hasNext();) {
Policy p = (Policy) i.next();
if (isPolicyGrantedToPrincipal(p, principal)) {
val = p;
}
if (principal instanceof User) {
Role[] r = ((User) principal).getRoles();
if (r != null) {
for (int j = 0; val == null && j < r.length; j++) {
if (r[j]!=null && isPolicyGrantedToPrincipal(p, r[j])) {
val = p;
}
}
}
}
}
storeToCache(cacheKey, val);
}
return val;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#isPolicyGrantedToUser(com.adito.policyframework.Policy, com.adito.security.User)
*/
public boolean isPolicyGrantedToUser(Policy policy, User user) throws Exception {
boolean found = false;
if(!isPolicyGrantedToPrincipal(policy, user)) {
Role[] roles = user.getRoles();
for(int i=0;i<roles.length;i++) {
if(isPolicyGrantedToPrincipal(policy, roles[i])) {
found = true;
break;
}
}
} else
found = true;
return found;
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#detachResourceFromPolicyList(com.adito.policyframework.Resource, com.adito.security.SessionInfo)
*/
public void detachResourceFromPolicyList(Resource resource, SessionInfo session) throws Exception {
List policies = getPolicies(session.getUser().getRealm());
for (Iterator i = policies.iterator(); i.hasNext();) {
Policy p = (Policy) i.next();
if(isResourceAttachedToPolicy(resource, p, session.getUser().getRealm())) {
if (log.isDebugEnabled())
log.debug("Detaching policy " + p.getResourceName() + " (" + p.getResourceId() + ") to resource "
+ resource.getResourceName() + "(id=" + resource.getResourceId() + ", type="
+ resource.getResourceType() + ")");
try {
detachResourceFromPolicy(resource, p, session.getUser().getRealm());
CoreServlet.getServlet().fireCoreEvent(new ResourceDetachedFromPolicyEvent(this, resource, p, session, CoreEvent.STATE_SUCCESSFUL));
}
catch(Exception e) {
CoreServlet.getServlet().fireCoreEvent(new ResourceDetachedFromPolicyEvent(this, resource, p, session, CoreEvent.STATE_UNSUCCESSFUL));
}
}
}
}
/* (non-Javadoc)
* @see com.adito.policyframework.PolicyDatabase#attachResourceToPolicyList(com.adito.policyframework.Resource, com.adito.boot.PropertyList, com.adito.security.SessionInfo)
*/
public void attachResourceToPolicyList(Resource resource, PropertyList selectedPolicies, SessionInfo session) throws Exception {
List l = getPoliciesAttachedToResource(resource, session.getUser().getRealm());
for (Iterator i = l.iterator(); i.hasNext();) {
Policy p = (Policy) i.next();
if(!selectedPolicies.contains(String.valueOf(p.getResourceId()))) {
if (log.isDebugEnabled())
log.debug("Detaching policy " + p.getResourceName() + " (" + p.getResourceId() + ") to resource "
+ resource.getResourceName() + "(id=" + resource.getResourceId() + ", type="
+ resource.getResourceType() + ")");
try {
detachResourceFromPolicy(resource, p, session.getUser().getRealm());
CoreServlet.getServlet().fireCoreEvent(new ResourceDetachedFromPolicyEvent(this, resource, p, session, CoreEvent.STATE_SUCCESSFUL));
}
catch(Exception e) {
CoreServlet.getServlet().fireCoreEvent(new ResourceDetachedFromPolicyEvent(this, resource, p, session, CoreEvent.STATE_UNSUCCESSFUL));
throw e;
}
}
}
int idx = 0;
for (Iterator i = selectedPolicies.iterator(); i.hasNext(); ) {
String pn = (String)i.next();
Policy p = getPolicy(Integer.parseInt(pn));
if (!l.contains(p)) {
if (log.isDebugEnabled())
log.debug("Attaching policy " + p.getResourceName() + " (" + p.getResourceId() + ") to resource "
+ resource.getResourceName() + "(id=" + resource.getResourceId() + ", type="
+ resource.getResourceType() + ")");
try {
attachResourceToPolicy(resource, p, idx++, session.getUser().getRealm());
CoreServlet.getServlet().fireCoreEvent(new ResourceAttachedToPolicyEvent(this, resource, p, session, CoreEvent.STATE_SUCCESSFUL));
}
catch(Exception e) {
CoreServlet.getServlet().fireCoreEvent(new ResourceAttachedToPolicyEvent(this, resource, p, session, CoreEvent.STATE_UNSUCCESSFUL));
throw e;
}
}
}
}
public List<AccessRights> getAccessRights(int realmID) throws Exception {
String cacheKey = "resourcePermissions-realmID=" + realmID;
List<AccessRights> val = (List<AccessRights>) policyCache.retrieve(cacheKey);
if (val == null) {
JDBCPreparedStatement ps = db
.getStatement("getResourcePermissions.realm.select");
try {
ps.setInt(1, realmID);
ResultSet rs = ps.executeQuery();
val = buildResourcePermission(rs);
} finally {
ps.releasePreparedStatement();
}
}
return val;
}
}