Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Member Functions | Static Public Member Functions | Protected Attributes | Static Protected Attributes | Private Attributes
ArcSec::ArcPDP Class Reference

ArcPDP - PDP which can handle the Arc specific request and policy schema. More...

#include <ArcPDP.h>

Inheritance diagram for ArcSec::ArcPDP:
Inheritance graph
Collaboration diagram for ArcSec::ArcPDP:
Collaboration graph

List of all members.

Public Member Functions

 ArcPDP (Arc::Config *cfg)
virtual ~ArcPDP ()
virtual bool isPermitted (Arc::Message *msg) const
void SetId (std::string &id)
std::string GetId ()

Static Public Member Functions

static Arc::Pluginget_arc_pdp (Arc::PluginArgument *arg)

Protected Attributes

std::string id_

Static Protected Attributes

static Arc::Logger logger

Private Attributes

std::list< std::string > select_attrs
std::list< std::string > reject_attrs
std::list< std::string > policy_locations
Arc::XMLNodeContainer policies
std::string policy_combining_alg

Detailed Description

ArcPDP - PDP which can handle the Arc specific request and policy schema.

Definition at line 14 of file ArcPDP.h.

Constructor & Destructor Documentation

Definition at line 67 of file ArcPDP.cpp.

                         :PDP(cfg) /*, eval(NULL)*/ {
  XMLNode pdp_node(*cfg);

  XMLNode filter = (*cfg)["Filter"];
  if((bool)filter) {
    XMLNode select_attr = filter["Select"];
    XMLNode reject_attr = filter["Reject"];
    for(;(bool)select_attr;++select_attr) select_attrs.push_back((std::string)select_attr);
    for(;(bool)reject_attr;++reject_attr) reject_attrs.push_back((std::string)reject_attr);
  XMLNode policy_store = (*cfg)["PolicyStore"];
  XMLNode policy_location = policy_store["Location"];
  for(;(bool)policy_location;++policy_location) policy_locations.push_back((std::string)policy_location);
  XMLNode policy = (*cfg)["Policy"];
  for(;(bool)policy;++policy) policies.AddNew(policy);
  policy_combining_alg = (std::string)((*cfg)["PolicyCombiningAlg"]);

Here is the call graph for this function:

ArcSec::ArcPDP::~ArcPDP ( ) [virtual]

Definition at line 252 of file ArcPDP.cpp.

  //  delete eval;
  //eval = NULL;

Member Function Documentation

Definition at line 36 of file ArcPDP.cpp.

    ArcSec::PDPPluginArgument* pdparg =
    if(!pdparg) return NULL;
    return new ArcPDP((Arc::Config*)(*pdparg));
std::string ArcSec::PDP::GetId ( ) [inline, inherited]

Definition at line 88 of file PDP.h.

{ return id_; };
bool ArcSec::ArcPDP::isPermitted ( Arc::Message msg) const [virtual]

Implements ArcSec::PDP.

Definition at line 85 of file ArcPDP.cpp.

  //Compose Request based on the information inside message, the Request will be like below:
  <Request xmlns="">
          <Attribute AttributeId="123" Type="string"></Attribute>
          <Attribute AttributeId="xyz" Type="string">/O=NorduGrid/OU=UIO/CN=test</Attribute>
        <Action AttributeId="ijk" Type="string">GET</Action>
  Evaluator* eval = NULL;

  std::string ctxid = "arcsec.arcpdp";
  try {
    Arc::MessageContextElement* mctx = (*(msg->Context()))[ctxid];
    if(mctx) {
      ArcPDPContext* pdpctx = dynamic_cast<ArcPDPContext*>(mctx);
      if(pdpctx) {
      else { logger.msg(INFO, "Can not find ArcPDPContext"); }
  } catch(std::exception& e) { };
  if(!eval) {
    ArcPDPContext* pdpctx = new ArcPDPContext();
    if(pdpctx) {
      if(eval) {
        //for(Arc::AttributeIterator it = (msg->Attributes())->getAll("PDP:POLICYLOCATION"); it.hasMore(); it++) {
        //  eval->addPolicy(SourceFile(*it));
        for(std::list<std::string>::const_iterator it = policy_locations.begin(); it!= policy_locations.end(); it++) {
        for(int n = 0;n<policies.Size();++n) {
        if(!policy_combining_alg.empty()) {
          if(policy_combining_alg == "EvaluatorFailsOnDeny") {
          } else if(policy_combining_alg == "EvaluatorStopsOnDeny") {
          } else if(policy_combining_alg == "EvaluatorStopsOnPermit") {
          } else if(policy_combining_alg == "EvaluatorStopsNever") {
          } else {
            AlgFactory* factory = eval->getAlgFactory();
            if(!factory) {
              logger.msg(WARNING, "Evaluator does not support loadable Combining Algorithms");
            } else {
              CombiningAlg* algorithm = factory->createAlg(policy_combining_alg);
              if(!algorithm) {
                logger.msg(ERROR, "Evaluator does not support specified Combining Algorithm - %s",policy_combining_alg);
              } else {
        msg->Context()->Add(ctxid, pdpctx);
      } else {
        delete pdpctx;
    if(!eval) logger.msg(ERROR, "Can not dynamically produce Evaluator");
  if(!eval) {
    logger.msg(ERROR,"Evaluator for ArcPDP was not loaded"); 
    return false;

  MessageAuth* mauth = msg->Auth()->Filter(select_attrs,reject_attrs);
  MessageAuth* cauth = msg->AuthContext()->Filter(select_attrs,reject_attrs);
  if((!mauth) && (!cauth)) {
    logger.msg(ERROR,"Missing security object in message");
    return false;
  NS ns;
  XMLNode requestxml(ns,"");
  if(mauth) {
    if(!mauth->Export(SecAttr::ARCAuth,requestxml)) {
      delete mauth;
      logger.msg(ERROR,"Failed to convert security information to ARC request");
      return false;
    delete mauth;
  if(cauth) {
    if(!cauth->Export(SecAttr::ARCAuth,requestxml)) {
      delete mauth;
      logger.msg(ERROR,"Failed to convert security information to ARC request");
      return false;
    delete cauth;
    std::string s;
    logger.msg(DEBUG,"ARC Auth. request: %s",s);
    std::cout<<"ARC Auth. request "<<s<<std::endl;
  if(requestxml.Size() <= 0) {
    logger.msg(ERROR,"No requested security information was collected");
    return false;

  //Call the evaluation functionality inside Evaluator
  Response *resp = eval->evaluate(requestxml);
  if(!resp) {
    logger.msg(ERROR, "Not authorized from arc.pdp - failed to get reponse from Evaluator");
    return false;
  ResponseList rlist = resp->getResponseItems();
  int size = rlist.size();

  //  The current ArcPDP is supposed to be used as policy decision point for Arc1 HED components, and
  // those services which are based on HED.
  //  Each message/session comes with one unique <Subject/> (with a number of <Attribute/>s),
  // and different <Resource/> and <Action/> elements (possibly plus <Context/>).
  //  The results from all tuples are combined using following decision algorithm: 
  // 1. If any of tuples made of <Subject/>, <Resource/>, <Action/> and <Context/> gets "DENY"
  //    then final result is negative (false).
  // 2. Otherwise if any of tuples gets "PERMIT" then final result is positive (true).
  // 3. Otherwise result is negative (false).

  bool atleast_onedeny = false;
  bool atleast_onepermit = false;

  for(int i = 0; i < size; i++) {
    ResponseItem* item = rlist[i];
    RequestTuple* tp = item->reqtp;

    if(item->res == DECISION_DENY)
      atleast_onedeny = true;
    if(item->res == DECISION_PERMIT)
      atleast_onepermit = true;

    Subject::iterator it;
    Subject subject = tp->sub;
    for (it = subject.begin(); it!= subject.end(); it++){
      AttributeValue *attrval;
      RequestAttribute *attr;
      attr = dynamic_cast<RequestAttribute*>(*it);
        attrval = (*it)->getAttributeValue();
        if(attrval) logger.msg(INFO, "%s", attrval->encode());
  bool result = false;
  if(atleast_onedeny) result = false;
  else if(atleast_onepermit) result = true;
  else result = false;

  if(result) logger.msg(INFO, "Authorized by arc.pdp");
  else logger.msg(INFO, "Not authorized by arc.pdp - some of the RequestItem elements do not satisfy Policy");
  if(resp) delete resp;
  return result;

Here is the call graph for this function:

void ArcSec::PDP::SetId ( std::string &  id) [inline, inherited]

Definition at line 87 of file PDP.h.

{ id_ = id; };

Member Data Documentation

std::string ArcSec::PDP::id_ [protected, inherited]

Definition at line 88 of file PDP.h.

Arc::Logger ArcSec::ArcPDP::logger [static, protected]

Reimplemented from ArcSec::PDP.

Definition at line 31 of file ArcPDP.h.

Definition at line 28 of file ArcPDP.h.

std::string ArcSec::ArcPDP::policy_combining_alg [private]

Definition at line 29 of file ArcPDP.h.

std::list<std::string> ArcSec::ArcPDP::policy_locations [private]

Definition at line 27 of file ArcPDP.h.

std::list<std::string> ArcSec::ArcPDP::reject_attrs [private]

Definition at line 26 of file ArcPDP.h.

std::list<std::string> ArcSec::ArcPDP::select_attrs [private]

Definition at line 25 of file ArcPDP.h.

The documentation for this class was generated from the following files: