Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Member Functions | Static Public Member Functions | Protected Attributes | Static Protected Attributes | Private Attributes
ArcSec::XACMLPDP Class Reference

XACMLPDP - PDP which can handle the XACML specific request and policy schema. More...

#include <XACMLPDP.h>

Inheritance diagram for ArcSec::XACMLPDP:
Inheritance graph
[legend]
Collaboration diagram for ArcSec::XACMLPDP:
Collaboration graph
[legend]

List of all members.

Public Member Functions

 XACMLPDP (Arc::Config *cfg)
virtual ~XACMLPDP ()
virtual bool isPermitted (Arc::Message *msg) const
void SetId (std::string &id)
std::string GetId ()

Static Public Member Functions

static Arc::Pluginget_xacml_pdp (Arc::PluginArgument *arg)

Protected Attributes

std::string id_

Static Protected Attributes

static Arc::Logger logger

Private Attributes

std::list< std::string > select_attrs
std::list< std::string > reject_attrs
std::list< std::string > policy_locations
Arc::XMLNodeContainer policies
std::string policy_combining_alg

Detailed Description

XACMLPDP - PDP which can handle the XACML specific request and policy schema.

Definition at line 14 of file XACMLPDP.h.


Constructor & Destructor Documentation

Definition at line 56 of file XACMLPDP.cpp.

                             :PDP(cfg) /*, eval(NULL)*/ {
  XMLNode pdp_node(*cfg);

  XMLNode filter = (*cfg)["Filter"];
  if((bool)filter) {
    XMLNode select_attr = filter["Select"];
    XMLNode reject_attr = filter["Reject"];
    for(;(bool)select_attr;++select_attr) select_attrs.push_back((std::string)select_attr);
    for(;(bool)reject_attr;++reject_attr) reject_attrs.push_back((std::string)reject_attr);
  };
  XMLNode policy_store = (*cfg)["PolicyStore"];
  XMLNode policy_location = policy_store["Location"];
  for(;(bool)policy_location;++policy_location) policy_locations.push_back((std::string)policy_location);
  XMLNode policy = (*cfg)["Policy"];
  for(;(bool)policy;++policy) policies.AddNew(policy);
  policy_combining_alg = (std::string)((*cfg)["PolicyCombiningAlg"]);
}

Here is the call graph for this function:

Definition at line 187 of file XACMLPDP.cpp.

                   {
}

Member Function Documentation

Definition at line 25 of file XACMLPDP.cpp.

                                                   {
    ArcSec::PDPPluginArgument* pdparg =
            arg?dynamic_cast<ArcSec::PDPPluginArgument*>(arg):NULL;
    if(!pdparg) return NULL;
    return new XACMLPDP((Arc::Config*)(*pdparg));
}
std::string ArcSec::PDP::GetId ( ) [inline, inherited]

Definition at line 88 of file PDP.h.

{ return id_; };
bool ArcSec::XACMLPDP::isPermitted ( Arc::Message msg) const [virtual]

Implements ArcSec::PDP.

Definition at line 74 of file XACMLPDP.cpp.

                                             {
  //Compose Request based on the information inside message, the Request will be
  //compatible to xacml request schema

  Evaluator* eval = NULL;

  const std::string ctxid = "arcsec.xacmlpdp";
  try {
    Arc::MessageContextElement* mctx = (*(msg->Context()))[ctxid];
    if(mctx) {
      XACMLPDPContext* pdpctx = dynamic_cast<XACMLPDPContext*>(mctx);
      if(pdpctx) {
        eval=pdpctx->eval;
      }
      else { logger.msg(INFO, "Can not find XACMLPDPContext"); }
    };
  } catch(std::exception& e) { };
  if(!eval) {
    XACMLPDPContext* pdpctx = new XACMLPDPContext();
    if(pdpctx) {
      eval=pdpctx->eval;
      if(eval) {
        //for(Arc::AttributeIterator it = (msg->Attributes())->getAll("PDP:POLICYLOCATION"); it.hasMore(); it++) {
        //  eval->addPolicy(SourceFile(*it));
        //}
        for(std::list<std::string>::const_iterator it = policy_locations.begin(); it!= policy_locations.end(); it++) {
          eval->addPolicy(SourceFile(*it));
        }
        for(int n = 0;n<policies.Size();++n) {
          eval->addPolicy(Source(const_cast<Arc::XMLNodeContainer&>(policies)[n]));
        }
        if(!policy_combining_alg.empty()) {
          if(policy_combining_alg == "EvaluatorFailsOnDeny") {
            eval->setCombiningAlg(EvaluatorFailsOnDeny);
          } else if(policy_combining_alg == "EvaluatorStopsOnDeny") {
            eval->setCombiningAlg(EvaluatorStopsOnDeny);
          } else if(policy_combining_alg == "EvaluatorStopsOnPermit") {
            eval->setCombiningAlg(EvaluatorStopsOnPermit);
          } else if(policy_combining_alg == "EvaluatorStopsNever") {
            eval->setCombiningAlg(EvaluatorStopsNever);
          } else {
            AlgFactory* factory = eval->getAlgFactory();
            if(!factory) {
              logger.msg(WARNING, "Evaluator does not support loadable Combining Algorithms");
            } else {
              CombiningAlg* algorithm = factory->createAlg(policy_combining_alg);
              if(!algorithm) {
                logger.msg(ERROR, "Evaluator does not support specified Combining Algorithm - %s",policy_combining_alg);
              } else {
                eval->setCombiningAlg(algorithm);
              };
            };
          };
        };
        msg->Context()->Add(ctxid, pdpctx);
      } else {
        delete pdpctx;
      }
    }
    if(!eval) logger.msg(ERROR, "Can not dynamically produce Evaluator");
  }
  if(!eval) {
    logger.msg(ERROR,"Evaluator for XACMLPDP was not loaded"); 
    return false;
  };

  MessageAuth* mauth = msg->Auth()->Filter(select_attrs,reject_attrs);
  MessageAuth* cauth = msg->AuthContext()->Filter(select_attrs,reject_attrs);
  if((!mauth) && (!cauth)) {
    logger.msg(ERROR,"Missing security object in message");
    return false;
  };
  NS ns;
  XMLNode requestxml(ns,"");
  if(mauth) {
    if(!mauth->Export(SecAttr::XACML,requestxml)) {
      delete mauth;
      logger.msg(ERROR,"Failed to convert security information to XACML request");
      return false;
    };
    delete mauth;
  };
  if(cauth) {
    if(!cauth->Export(SecAttr::XACML,requestxml)) {
      delete mauth;
      logger.msg(ERROR,"Failed to convert security information to XACML request");
      return false;
    };
    delete cauth;
  };
  {
    std::string s;
    requestxml.GetXML(s);
    logger.msg(DEBUG,"XACML request: %s",s);
  };
  if(requestxml.Size() <= 0) {
    logger.msg(ERROR,"No requested security information was collected");
    return false;
  };

  //Call the evaluation functionality inside Evaluator
  Response *resp = eval->evaluate(requestxml);
  ArcSec::ResponseList rlist = resp->getResponseItems();
  std::cout<<rlist[0]->res<<std::endl;
  bool result = false;
  if(rlist[0]->res == DECISION_PERMIT) { logger.msg(INFO, "Authorized from xacml.pdp"); result = true; }
  else logger.msg(ERROR, "UnAuthorized from xacml.pdp");
  
  if(resp) delete resp;
    
  return result;
}

Here is the call graph for this function:

void ArcSec::PDP::SetId ( std::string &  id) [inline, inherited]

Definition at line 87 of file PDP.h.

{ id_ = id; };

Member Data Documentation

std::string ArcSec::PDP::id_ [protected, inherited]

Definition at line 88 of file PDP.h.

Reimplemented from ArcSec::PDP.

Definition at line 30 of file XACMLPDP.h.

Definition at line 27 of file XACMLPDP.h.

Definition at line 28 of file XACMLPDP.h.

std::list<std::string> ArcSec::XACMLPDP::policy_locations [private]

Definition at line 26 of file XACMLPDP.h.

std::list<std::string> ArcSec::XACMLPDP::reject_attrs [private]

Definition at line 25 of file XACMLPDP.h.

std::list<std::string> ArcSec::XACMLPDP::select_attrs [private]

Definition at line 24 of file XACMLPDP.h.


The documentation for this class was generated from the following files: