Back to index

nordugrid-arc-nox  1.1.0~rc6
Public Member Functions | Static Public Member Functions | Protected Attributes | Static Protected Attributes | Private Attributes
ArcSec::XACMLPolicy Class Reference

XACMLPolicy class to parse and operate XACML specific <Policy> node. More...

#include <XACMLPolicy.h>

Inheritance diagram for ArcSec::XACMLPolicy:
Inheritance graph
[legend]
Collaboration diagram for ArcSec::XACMLPolicy:
Collaboration graph
[legend]

List of all members.

Public Member Functions

 XACMLPolicy (void)
 Constructor.
 XACMLPolicy (const Arc::XMLNode node)
 Constructor.
 XACMLPolicy (const Arc::XMLNode node, EvaluatorContext *ctx)
 Constructor -.
virtual ~XACMLPolicy ()
virtual operator bool (void) const
 Returns true is object is valid.
virtual Result eval (EvaluationCtx *ctx)
 Evaluate policy For the <Rule> of Arc, only get the "Effect" from rules; For the <Policy> of Arc, combine the evaluation result from <Rule>; For the <Rule> of XACML, evaluate the <Condition> node by using information from request, and use the "Effect" attribute of <Rule>; For the <Policy> of XACML, combine the evaluation result from <Rule>
virtual void setEvaluatorContext (EvaluatorContext *evaluatorcontext)
 Set Evaluator Context for the usage in creating low-level policy object.
virtual void make_policy ()
 Parse XMLNode, and construct the low-level Rule object.
virtual MatchResult match (EvaluationCtx *ctx)
 Evaluate whether the two targets to be evaluated match to each other.
virtual std::string getEffect () const
 Get the "Effect" attribute.
virtual EvalResultgetEvalResult ()
 Get eveluation result.
virtual void setEvalResult (EvalResult &res)
 Set eveluation result.
const char * getEvalName () const
 Get the name of Evaluator which can evaluate this policy.
const char * getName () const
 Get the name of this policy.
virtual void addPolicy (Policy *pl)
 Add a policy element to into "this" object.

Static Public Member Functions

static Arc::Pluginget_policy (Arc::PluginArgument *arg)
 get_policy (in charge of class-loading of XACMLPolicy) can only accept one type of argument--XMLNode

Protected Attributes

std::list< Policy * > subelements

Static Protected Attributes

static Arc::Logger logger

Private Attributes

std::string id
std::string version
CombiningAlgcomalg
 The combining algorithm between lower-lever element, <Rule>
std::string description
EvaluatorContextevaluatorctx
 Evaluator Context which contains factory object.
AlgFactoryalgfactory
 Algorithm factory.
EvalResult evalres
Arc::XMLNode policynode
 Corresponding <Policy> node.
Arc::XMLNode policytop
 Top element of policy tree.
XACMLTargettarget
 The object for containing <Target> information.

Detailed Description

XACMLPolicy class to parse and operate XACML specific <Policy> node.

Definition at line 17 of file XACMLPolicy.h.


Constructor & Destructor Documentation

Constructor.

Definition at line 40 of file XACMLPolicy.cpp.

                             : Policy(), comalg(NULL) {
  Arc::XMLNode newpolicy(policyns,"policy:Policy");
  newpolicy.New(policynode);
  policytop=policynode;
}

Here is the call graph for this function:

Here is the caller graph for this function:

Constructor.

Definition at line 46 of file XACMLPolicy.cpp.

                                           : Policy(node), comalg(NULL), target(NULL) {
  if((!node) || (node.Size() == 0)) {
    logger.msg(ERROR,"Policy is empty");
    return;
  }
  node.New(policynode);

  std::list<XMLNode> res = policynode.XPathLookup("//policy:Policy",policyns);
  if(res.empty()) {
    logger.msg(ERROR,"Can not find <Policy/> element with proper namespace");
    policynode.Destroy();
    return;
  }
  policytop = *(res.begin());
}

Here is the call graph for this function:

Constructor -.

Definition at line 62 of file XACMLPolicy.cpp.

                                                                  : Policy(node), comalg(NULL), target(NULL) {
  if((!node) || (node.Size() == 0)) {
    logger.msg(ERROR,"Policy is empty");
    return;
  }
  node.New(policynode);
  std::list<XMLNode> res = policynode.XPathLookup("//policy:Policy",policyns);
  if(res.empty()) {
    policynode.Destroy();
    return;
  }
  policytop = *(res.begin());
  setEvaluatorContext(ctx);
  make_policy();
}

Here is the call graph for this function:

Definition at line 156 of file XACMLPolicy.cpp.

                         {
  while(!(subelements.empty())){
    delete subelements.back();
    subelements.pop_back();
  }
  if(target != NULL) delete target;
}

Member Function Documentation

virtual void ArcSec::Policy::addPolicy ( Policy pl) [inline, virtual, inherited]

Add a policy element to into "this" object.

Definition at line 64 of file Policy.h.

{subelements.push_back(pl);};

Evaluate policy For the <Rule> of Arc, only get the "Effect" from rules; For the <Policy> of Arc, combine the evaluation result from <Rule>; For the <Rule> of XACML, evaluate the <Condition> node by using information from request, and use the "Effect" attribute of <Rule>; For the <Policy> of XACML, combine the evaluation result from <Rule>

Implements ArcSec::Policy.

Definition at line 136 of file XACMLPolicy.cpp.

                                          {
  Result result = DECISION_NOT_APPLICABLE;
  if(target != NULL) {
    MatchResult matchres = target->match(ctx);
    if(matchres == NO_MATCH)  return result;
    else if(matchres == INDETERMINATE) {result = DECISION_INDETERMINATE; return result;}
  }
 
  result = comalg?comalg->combine(ctx, subelements):DECISION_INDETERMINATE;
  if(result == DECISION_PERMIT) evalres.effect = "Permit";
  else if(result == DECISION_DENY) evalres.effect = "Deny";
  else if(result == DECISION_INDETERMINATE) evalres.effect = "Indeterminate";

  return result;
}

Here is the call graph for this function:

get_policy (in charge of class-loading of XACMLPolicy) can only accept one type of argument--XMLNode

Definition at line 16 of file XACMLPolicy.cpp.

                                                               {
    //std::cout<<"Argument type of XACMLPolicy:"<<typeid(arg).name()<<std::endl;
    if(arg==NULL) return NULL;
    Arc::ClassLoaderPluginArgument* clarg =
            arg?dynamic_cast<Arc::ClassLoaderPluginArgument*>(arg):NULL;
    if(!clarg) return NULL;
    // Check if empty or valid policy is supplied
    Arc::XMLNode* doc = (Arc::XMLNode*)(*clarg);
    if(doc==NULL) {
        std::cerr<<"XACMLPolicy creation requires XMLNode as argument"<<std::endl;
        return NULL;
    }
    //if(!(*doc)) return new ArcSec::XACMLPolicy;
    ArcSec::XACMLPolicy* policy = new ArcSec::XACMLPolicy(*doc);
    if((!policy) || (!(*policy))) {
      delete policy;
      return NULL;
    };
    return policy;
}

Here is the call graph for this function:

virtual std::string ArcSec::XACMLPolicy::getEffect ( ) const [inline, virtual]

Get the "Effect" attribute.

Implements ArcSec::Policy.

Definition at line 41 of file XACMLPolicy.h.

{ return "Not_applicable";};
const char* ArcSec::XACMLPolicy::getEvalName ( ) const [inline, virtual]

Get the name of Evaluator which can evaluate this policy.

Implements ArcSec::Policy.

Definition at line 47 of file XACMLPolicy.h.

{   return "xacml.evaluator"; };

Get eveluation result.

Implements ArcSec::Policy.

Definition at line 152 of file XACMLPolicy.cpp.

                                      {
  return evalres;
}
const char* ArcSec::XACMLPolicy::getName ( ) const [inline, virtual]

Get the name of this policy.

Implements ArcSec::Policy.

Definition at line 49 of file XACMLPolicy.h.

{   return "xacml.policy"; };
void XACMLPolicy::make_policy ( ) [virtual]

Parse XMLNode, and construct the low-level Rule object.

Reimplemented from ArcSec::Policy.

Definition at line 78 of file XACMLPolicy.cpp.

                              {
  //EvalResult.node record the policy(in XMLNode) information about evaluation result.
  //According to the developer's requirement, 
  //EvalResult.node can include rules(in XMLNode) that "Permit" or "Deny" 
  //the request tuple. In the existing code, it include all 
  //the original rules.

  if(!policynode) return;
  if(!policytop) return;

  evalres.node = policynode;
  evalres.effect = "Not_applicable";

  XACMLRule *rule;
  //Get AlgFactory from EvaluatorContext
  algfactory = (AlgFactory*)(*evaluatorctx); 

  XMLNode nd = policytop;
  XMLNode rnd;
  if((bool)nd){
    nd = policytop;
    id = (std::string)(nd.Attribute("PolicyId"));

    //Setup the rules' combining algorithm inside one policy, according to the "RuleCombiningAlgId" name
    if(nd.Attribute("RuleCombiningAlgId")) {
      std::string tmpstr = (std::string)(nd.Attribute("RuleCombiningAlgId"));
      size_t found = tmpstr.find_last_of(":");
      std::string algstr = tmpstr.substr(found+1);
      if(algstr == "deny-overrides") algstr = "Deny-Overrides";
      else if(algstr == "permit-overrides") algstr = "Permit-Overrides";
      comalg = algfactory->createAlg(algstr);
    }
    else comalg = algfactory->createAlg("Deny-Overrides");
    
    description = (std::string)(nd["Description"]);  
  }
  
  logger.msg(INFO, "PolicyId: %s  Alg inside this policy is:-- %s", id, comalg?(comalg->getalgId()):"");

  XMLNode targetnode = nd["Target"];
  if(((bool)targetnode) && ((bool)(targetnode.Child()))) 
    target = new XACMLTarget(targetnode, evaluatorctx);

  for ( int i=0;; i++ ){
    rnd = nd["Rule"][i];
    if(!rnd) break;
    rule = new XACMLRule(rnd, evaluatorctx);
    subelements.push_back(rule);
  }
}

Here is the call graph for this function:

Here is the caller graph for this function:

Evaluate whether the two targets to be evaluated match to each other.

Implements ArcSec::Policy.

Definition at line 129 of file XACMLPolicy.cpp.

                                                {
  MatchResult res;
  if(target != NULL) res = target->match(ctx);
  else { logger.msg(Arc::INFO, "No target available inside the policy"); res = INDETERMINATE; }
  return res;
}

Here is the call graph for this function:

virtual ArcSec::XACMLPolicy::operator bool ( void  ) const [inline, virtual]

Returns true is object is valid.

Implements ArcSec::Policy.

Definition at line 30 of file XACMLPolicy.h.

{ return (bool)policynode; };
virtual void ArcSec::XACMLPolicy::setEvalResult ( EvalResult res) [inline, virtual]

Set eveluation result.

Implements ArcSec::Policy.

Definition at line 45 of file XACMLPolicy.h.

{ evalres = res; };
virtual void ArcSec::XACMLPolicy::setEvaluatorContext ( EvaluatorContext ) [inline, virtual]

Set Evaluator Context for the usage in creating low-level policy object.

Reimplemented from ArcSec::Policy.

Definition at line 34 of file XACMLPolicy.h.

{ evaluatorctx = evaluatorcontext; };

Here is the caller graph for this function:


Member Data Documentation

Algorithm factory.

Definition at line 66 of file XACMLPolicy.h.

The combining algorithm between lower-lever element, <Rule>

Definition at line 59 of file XACMLPolicy.h.

std::string ArcSec::XACMLPolicy::description [private]

Definition at line 60 of file XACMLPolicy.h.

Definition at line 68 of file XACMLPolicy.h.

Evaluator Context which contains factory object.

Definition at line 63 of file XACMLPolicy.h.

std::string ArcSec::XACMLPolicy::id [private]

Definition at line 55 of file XACMLPolicy.h.

Reimplemented from ArcSec::Policy.

Definition at line 80 of file XACMLPolicy.h.

Corresponding <Policy> node.

Definition at line 71 of file XACMLPolicy.h.

Top element of policy tree.

Definition at line 74 of file XACMLPolicy.h.

std::list<Policy*> ArcSec::Policy::subelements [protected, inherited]

Definition at line 26 of file Policy.h.

The object for containing <Target> information.

Definition at line 77 of file XACMLPolicy.h.

std::string ArcSec::XACMLPolicy::version [private]

Definition at line 56 of file XACMLPolicy.h.


The documentation for this class was generated from the following files: