Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Member Functions | Protected Attributes | Static Protected Attributes | Private Member Functions | Private Attributes
ArcSec::ArcRule Class Reference

ArcRule class to parse Arc specific <Rule> node. More...

#include <ArcRule.h>

Inheritance diagram for ArcSec::ArcRule:
Inheritance graph
[legend]
Collaboration diagram for ArcSec::ArcRule:
Collaboration graph
[legend]

List of all members.

Public Member Functions

 ArcRule (const Arc::XMLNode node, EvaluatorContext *ctx)
virtual std::string getEffect () const
 Get the "Effect" attribute.
virtual Result eval (EvaluationCtx *ctx)
 Evaluate policy For the <Rule> of Arc, only get the "Effect" from rules; For the <Policy> of Arc, combine the evaluation result from <Rule>; For the <Rule> of XACML, evaluate the <Condition> node by using information from request, and use the "Effect" attribute of <Rule>; For the <Policy> of XACML, combine the evaluation result from <Rule>
virtual MatchResult match (EvaluationCtx *ctx)
 Evaluate whether the two targets to be evaluated match to each other.
virtual ~ArcRule ()
virtual operator bool (void) const
 Returns true is object is valid.
virtual EvalResultgetEvalResult ()
 Get eveluation result.
virtual void setEvalResult (EvalResult &res)
 Set eveluation result.
const char * getEvalName () const
 Get the name of Evaluator which can evaluate this policy.
const char * getName () const
 Get the name of this policy.
virtual void addPolicy (Policy *pl)
 Add a policy element to into "this" object.
virtual void setEvaluatorContext (EvaluatorContext *)
 Set Evaluator Context for the usage in creating low-level policy object.
virtual void make_policy ()
 Parse XMLNode, and construct the low-level Rule object.

Protected Attributes

std::list< Policy * > subelements

Static Protected Attributes

static Arc::Logger logger

Private Member Functions

void getItemlist (Arc::XMLNode &nd, OrList &items, const std::string &itemtype, const std::string &type_attr, const std::string &function_attr)
 Parse the <Subjects> <Resources> <Actions> <Conditions> inside one <Rule> Can also refer to the other source by using <GroupIdRef>, the <Location> attribute is the location of the refered file the value "subgrpexample" is the index for searching in the refered file.

Private Attributes

std::string effect
std::string id
std::string version
std::string description
OrList subjects
OrList resources
OrList actions
OrList conditions
AttributeFactoryattrfactory
FnFactoryfnfactory
EvalResult evalres
Arc::XMLNode rulenode
Id_MatchResult sub_idmatched
Id_MatchResult res_idmatched
Id_MatchResult act_idmatched
Id_MatchResult ctx_idmatched

Detailed Description

ArcRule class to parse Arc specific <Rule> node.

Definition at line 68 of file ArcRule.h.


Constructor & Destructor Documentation

ArcRule::ArcRule ( const Arc::XMLNode  node,
EvaluatorContext ctx 
)

Definition at line 135 of file ArcRule.cpp.

                                                          : Policy(node) {
  rulenode = node;
  evalres.node = rulenode;
  evalres.effect = "Not_applicable";

  attrfactory = (AttributeFactory*)(*ctx);
  fnfactory = (FnFactory*)(*ctx);
  
  XMLNode nd, tnd;

  id = (std::string)(rulenode.Attribute("RuleId"));
  description = (std::string)(rulenode["Description"]);
  if((std::string)(rulenode.Attribute("Effect"))=="Permit")
    effect="Permit";
  else if((std::string)(rulenode.Attribute("Effect"))=="Deny")
    effect="Deny";
  //else
    //std::cerr<< "Invalid Effect" <<std::endl; 
    //logger.msg(Arc::ERROR, "Invalid Effect");

  std::string type,funcname;
  //Parse the "Subjects" part of a Rule
  nd = rulenode["Subjects"];
  type = (std::string)(nd.Attribute("Type"));
  funcname = (std::string)(nd.Attribute("Function"));
  if(type.empty()) type=DEFAULT_ATTRIBUTE_TYPE;
  getItemlist(nd, subjects, "Subject", type, funcname);  

  //Parse the "Resources" part of a Rule. The "Resources" does not include "Sub" item, 
  //so it is not such complicated, but we can handle it the same as "Subjects" 
  nd = rulenode["Resources"];
  type = (std::string)(nd.Attribute("Type"));
  funcname = (std::string)(nd.Attribute("Function"));
  if(type.empty()) type=DEFAULT_ATTRIBUTE_TYPE;
  getItemlist(nd, resources, "Resource", type, funcname);

  //Parse the "Actions" part of a Rule
  nd = rulenode["Actions"];
  type = (std::string)(nd.Attribute("Type"));
  funcname = (std::string)(nd.Attribute("Function"));
  if(type.empty()) type=DEFAULT_ATTRIBUTE_TYPE;
  getItemlist(nd, actions, "Action", type, funcname);

  //Parse the "Condition" part of a Rule
  nd = rulenode["Conditions"];
  type = (std::string)(nd.Attribute("Type"));
  funcname = (std::string)(nd.Attribute("Function"));
  if(type.empty()) type=DEFAULT_ATTRIBUTE_TYPE;
  getItemlist(nd, conditions, "Condition", type, funcname);

  //Set the initial value for id matching 
  sub_idmatched = ID_NO_MATCH;
  res_idmatched = ID_NO_MATCH;
  act_idmatched = ID_NO_MATCH;
  ctx_idmatched = ID_NO_MATCH;
 
}

Here is the call graph for this function:

ArcRule::~ArcRule ( ) [virtual]

Definition at line 346 of file ArcRule.cpp.

                 {
  while(!(subjects.empty())){
    AndList list = subjects.back();
    while(!(list.empty())){
      Match match = list.back();
      if(match.first){
        delete match.first;
      }
      list.pop_back();
    }
    subjects.pop_back();
  }

  while(!(resources.empty())){
    AndList list = resources.back();
    while(!(list.empty())){
      Match match = list.back();
      if(match.first)
        delete match.first;
      list.pop_back();
    }
    resources.pop_back();
  }

  while(!(actions.empty())){
    AndList list = actions.back();
    while(!(list.empty())){
      Match match = list.back();
      if(match.first)
        delete match.first;
      list.pop_back();
    }
    actions.pop_back();
  }

  while(!(conditions.empty())){
    AndList list = conditions.back();
    while(!(list.empty())){
      Match match = list.back();
      if(match.first)
        delete match.first;
      list.pop_back();
    }
    conditions.pop_back();
  }
}

Here is the call graph for this function:


Member Function Documentation

virtual void ArcSec::Policy::addPolicy ( Policy pl) [inline, virtual, inherited]

Add a policy element to into "this" object.

Definition at line 64 of file Policy.h.

{subelements.push_back(pl);};
Result ArcRule::eval ( EvaluationCtx ) [virtual]

Evaluate policy For the <Rule> of Arc, only get the "Effect" from rules; For the <Policy> of Arc, combine the evaluation result from <Rule>; For the <Rule> of XACML, evaluate the <Condition> node by using information from request, and use the "Effect" attribute of <Rule>; For the <Policy> of XACML, combine the evaluation result from <Rule>

Implements ArcSec::Policy.

Definition at line 295 of file ArcRule.cpp.

                                      {
  Result result = DECISION_NOT_APPLICABLE;
  MatchResult match_res = match(ctx);

  if(match_res == MATCH) {
    if(effect == "Permit") {
      result = DECISION_PERMIT;
      evalres.effect = "Permit";
    }
    else if(effect == "Deny") {
      result = DECISION_DENY;
      evalres.effect = "Deny";
    }
    return result;
  }
  else if(match_res == INDETERMINATE) {
    if(effect == "Permit") evalres.effect = "Permit";
    else if(effect == "Deny") evalres.effect = "Deny";
    return DECISION_INDETERMINATE; 
  }
  else if(match_res == NO_MATCH){
    if(effect == "Permit") evalres.effect = "Permit";
    else if(effect == "Deny") evalres.effect = "Deny";
    return DECISION_NOT_APPLICABLE;
  }
}

Here is the call graph for this function:

std::string ArcRule::getEffect ( ) const [virtual]

Get the "Effect" attribute.

Implements ArcSec::Policy.

Definition at line 322 of file ArcRule.cpp.

                                   {
  return effect;
}
const char * ArcRule::getEvalName ( ) const [virtual]

Get the name of Evaluator which can evaluate this policy.

Implements ArcSec::Policy.

Definition at line 338 of file ArcRule.cpp.

                                      {
  return "arc.evaluator";
}

Get eveluation result.

Implements ArcSec::Policy.

Definition at line 326 of file ArcRule.cpp.

                                   {
  return evalres;
}
void ArcRule::getItemlist ( Arc::XMLNode nd,
OrList items,
const std::string &  itemtype,
const std::string &  type_attr,
const std::string &  function_attr 
) [private]

Parse the <Subjects> <Resources> <Actions> <Conditions> inside one <Rule> Can also refer to the other source by using <GroupIdRef>, the <Location> attribute is the location of the refered file the value "subgrpexample" is the index for searching in the refered file.

Definition at line 26 of file ArcRule.cpp.

                                                               {
  XMLNode tnd;
  for(int i=0; i<nd.Size(); i++){
    for(int j=0;;j++){
      std::string type = type_attr;
      std::string funcname = function_attr;

      tnd = nd[itemtype][j];
      if(!tnd) break;
      if(!((std::string)(tnd.Attribute("Type"))).empty())
        type = (std::string)(tnd.Attribute("Type"));
      if(!((std::string)(tnd.Attribute("Function"))).empty())
        funcname = (std::string)(tnd.Attribute("Function"));

      if(!(type.empty())&&(tnd.Size()==0)){
        AndList item;
        std::string function;
        if(funcname.empty()) function = EqualFunction::getFunctionName(type);
        else if(funcname == "Match" || funcname == "match" || funcname == "MATCH")
          function = MatchFunction::getFunctionName(type);
        else if(funcname == "InRange" || funcname == "inrange" || funcname == "INRANGE" || funcname == "Inrange")
          function = InRangeFunction::getFunctionName(type);
        else std::cout<<"Function Name is wrong"<<std::endl;
        item.push_back(Match(attrfactory->createValue(tnd, type), fnfactory->createFn(function)));
        items.push_back(item);
      }
      else if((type.empty())&&(tnd.Size()>0)){
        AndList item;
        int size = tnd.Size();
        for(int k=0; k<size; k++){
          XMLNode snd = tnd.Child(k);
          type = (std::string)(snd.Attribute("Type"));
          // The priority of function definition: Subelement.Attribute("Function")
          // > Element.Attribute("Function") > Subelement.Attribute("Type") + "equal"
          if(!((std::string)(snd.Attribute("Function"))).empty())
            funcname = (std::string)(snd.Attribute("Function"));
          std::string function;
          if(funcname.empty()) function = EqualFunction::getFunctionName(type);
          else if(funcname == "Match" || funcname == "match" || funcname == "MATCH")
            function = MatchFunction::getFunctionName(type);
          else if(funcname == "InRange" || funcname == "inrange" || funcname == "INRANGE" || funcname == "Inrange")
            function = InRangeFunction::getFunctionName(type);
          else std::cout<<"Function Name is wrong"<<std::endl;
          item.push_back(Match(attrfactory->createValue(snd, type), fnfactory->createFn(function)));
        }
        items.push_back(item);
      }
      else if(!(type.empty())&&(tnd.Size()>0)){
        AndList item;
        int size = tnd.Size();
        for(int k=0; k<size; k++){
          XMLNode snd = tnd.Child(k);
          if(!((std::string)(snd.Attribute("Function"))).empty())
            funcname = (std::string)(snd.Attribute("Function"));
          std::string function;
          if(funcname.empty()) function = EqualFunction::getFunctionName(type);
          else if(funcname == "Match" || funcname == "match" || funcname == "MATCH")
            function = MatchFunction::getFunctionName(type);
          else if(funcname == "InRange" || funcname == "inrange" || funcname == "INRANGE" || funcname == "Inrange")
            function = InRangeFunction::getFunctionName(type);
          else std::cout<<"Function Name is wrong"<<std::endl;
          item.push_back(Match(attrfactory->createValue(snd, type), fnfactory->createFn(function)));
        }
        items.push_back(item);
      }
      else{
        //std::cerr <<"Error definition in policy"<<std::endl;
        //logger.msg(Arc::ERROR, "Error definition in policy"); 
        return;
      }
    }

    for(int l=0;;l++){
      tnd = nd["GroupIdRef"][l];
      if(!tnd) break;
      std::string location = (std::string)(tnd.Attribute("Location"));
 
      //Open the reference file and parse it to get external item information
      std::string xml_str = "";
      std::string str;
      std::ifstream f(location.c_str());
      while (f >> str) {
        xml_str.append(str);
        xml_str.append(" ");
      }
      f.close();

      XMLNode root(xml_str);
      XMLNode subref = root.Child();

      XMLNode snd;
      std::string itemgrouptype = itemtype + "Group";

      for(int k=0;;k++){
        snd = subref[itemgrouptype][k];
        if(!snd) break;

        //If the reference ID in the policy file matches the ID in the external file, 
        //try to get the subject information from the external file
        if((std::string)(snd.Attribute("GroupId")) == (std::string)tnd){
          getItemlist(snd, items, itemtype, type_attr, function_attr);
        }
      }
    }
  }
  return;
}

Here is the call graph for this function:

Here is the caller graph for this function:

const char * ArcRule::getName ( ) const [virtual]

Get the name of this policy.

Implements ArcSec::Policy.

Definition at line 342 of file ArcRule.cpp.

                                  {
  return "arc.rule";
}
virtual void ArcSec::Policy::make_policy ( ) [inline, virtual, inherited]

Parse XMLNode, and construct the low-level Rule object.

Reimplemented in ArcSec::XACMLPolicy, and ArcSec::ArcPolicy.

Definition at line 70 of file Policy.h.

{};

Here is the caller graph for this function:

Evaluate whether the two targets to be evaluated match to each other.

Implements ArcSec::Policy.

Definition at line 260 of file ArcRule.cpp.

                                                 {
  ArcEvaluationCtx* ctx = dynamic_cast<ArcEvaluationCtx*>(eval_ctx);
  ArcRequestTuple* evaltuple = dynamic_cast<ArcRequestTuple*>(ctx->getEvalTuple());  

  //Reset the value for id matching, since the Rule object could be 
  //used a number of times for match-making
  sub_idmatched = ID_NO_MATCH;
  res_idmatched = ID_NO_MATCH;
  act_idmatched = ID_NO_MATCH;
  ctx_idmatched = ID_NO_MATCH;

  MatchResult sub_matched, res_matched, act_matched, ctx_matched;
  sub_matched = itemMatch(subjects, evaltuple->sub, sub_idmatched);
  res_matched = itemMatch(resources, evaltuple->res, res_idmatched);
  act_matched = itemMatch(actions, evaltuple->act, act_idmatched);
  ctx_matched = itemMatch(conditions, evaltuple->ctx, ctx_idmatched);

  if(
      ( subjects.empty() || sub_matched==MATCH) &&
      ( resources.empty() || res_matched==MATCH) &&
      ( actions.empty() || act_matched==MATCH) &&
      ( conditions.empty() || ctx_matched==MATCH)
    )
    return MATCH;

  else if ( ( !(subjects.empty()) && sub_matched==INDETERMINATE ) || 
            ( !(resources.empty()) &&res_matched==INDETERMINATE ) || 
            ( !(actions.empty()) && act_matched==INDETERMINATE ) || 
            ( !(conditions.empty()) && ctx_matched==INDETERMINATE)
          )
    return INDETERMINATE;

  else return NO_MATCH;
}

Here is the call graph for this function:

Here is the caller graph for this function:

ArcRule::operator bool ( void  ) const [virtual]

Returns true is object is valid.

Implements ArcSec::Policy.

Definition at line 334 of file ArcRule.cpp.

                                 {
  return true;
}
void ArcRule::setEvalResult ( EvalResult res) [virtual]

Set eveluation result.

Implements ArcSec::Policy.

Definition at line 330 of file ArcRule.cpp.

                                          {
  evalres = res;
}
virtual void ArcSec::Policy::setEvaluatorContext ( EvaluatorContext ) [inline, virtual, inherited]

Set Evaluator Context for the usage in creating low-level policy object.

Reimplemented in ArcSec::XACMLPolicy, and ArcSec::ArcPolicy.

Definition at line 67 of file Policy.h.

{};

Here is the caller graph for this function:


Member Data Documentation

Definition at line 117 of file ArcRule.h.

Definition at line 106 of file ArcRule.h.

Definition at line 109 of file ArcRule.h.

Definition at line 107 of file ArcRule.h.

Definition at line 118 of file ArcRule.h.

std::string ArcSec::ArcRule::description [private]

Definition at line 102 of file ArcRule.h.

std::string ArcSec::ArcRule::effect [private]

Definition at line 99 of file ArcRule.h.

Definition at line 112 of file ArcRule.h.

Definition at line 110 of file ArcRule.h.

std::string ArcSec::ArcRule::id [private]

Definition at line 100 of file ArcRule.h.

Arc::Logger ArcSec::ArcRule::logger [static, protected]

Reimplemented from ArcSec::Policy.

Definition at line 121 of file ArcRule.h.

Definition at line 116 of file ArcRule.h.

Definition at line 105 of file ArcRule.h.

Definition at line 113 of file ArcRule.h.

Definition at line 115 of file ArcRule.h.

std::list<Policy*> ArcSec::Policy::subelements [protected, inherited]

Definition at line 26 of file Policy.h.

Definition at line 104 of file ArcRule.h.

std::string ArcSec::ArcRule::version [private]

Definition at line 101 of file ArcRule.h.


The documentation for this class was generated from the following files: