eu.xtreemos.xosd.security.vops
Class VOPS

java.lang.Object
  extended by eu.xtreemos.system.eventmachine.stage.AbstractStage
      extended by eu.xtreemos.system.eventmachine.stage.AbstractReceivingStage
          extended by eu.xtreemos.system.eventmachine.stage.Abstract2wayStage
              extended by eu.xtreemos.xosd.security.vops.VOPS
All Implemented Interfaces:
eu.xtreemos.system.eventmachine.queue.IEventHandler, eu.xtreemos.system.eventmachine.stage.IStage

public class VOPS
extends eu.xtreemos.system.eventmachine.stage.Abstract2wayStage

VO Policy Service: this class provides basic functions which provide capabilities to manipulate with policy rules, obtain information about policies and execution of queries over policies. Policies are stored as collection in memory using class @see eu.xtreemos.xosd.security.vops.xacml.utils.PolicyFactory but can also be stored onto physical storage using method @see #writeback(). When loading policies from physical storage into memory use @see #reloadVOPS().

Author:
ales.cernivec@xlab.si

Nested Class Summary
 class VOPS.PasswordGiver
           
 
Field Summary
private  java.lang.String delim
           
private  boolean isGlobalVOPS
           
private  boolean isUpToDate
           
private  java.util.HashMap<CommunicationAddress,java.security.cert.X509Certificate> listOfRegisteredVOPS
           
private  java.util.ArrayList<java.security.cert.X509Certificate> listOfVoAdminCerts
           
(package private) static org.apache.log4j.Logger logger
           
private  SimplePDP pdp
          Policy Decision Point
private  ServiceTrustStore serviceTrustStore
          This stores certificates in which we trust.
private  CVOPSConfig vopsConfig
           
 
Fields inherited from class eu.xtreemos.system.eventmachine.stage.Abstract2wayStage
context, counter, curContext, sink
 
Fields inherited from class eu.xtreemos.system.eventmachine.stage.AbstractReceivingStage
queue
 
Fields inherited from class eu.xtreemos.system.eventmachine.stage.AbstractStage
handlerChain, handlerGroup, handlerThreads, name, running, serviceListeners
 
Constructor Summary
VOPS()
           
 
Method Summary
 java.lang.Boolean addPolicy(java.lang.String xacmlPolicy, java.security.cert.X509Certificate userCtx)
          Adds XACML policy into policy storage.
 java.lang.String addRule(java.lang.String ruleXML, java.lang.String policyId)
          Adds rule which is passed as XML string to the policy identified by policyId.
 java.lang.String addXACMLRule(java.lang.String ruleXACML, java.lang.String policyId, java.security.cert.X509Certificate userCtx)
          Adds rule which is passed as XML string in XACML format to the policy identified by policyId.Returns rule created as String object.
 java.lang.String createPolicy(java.lang.String policyID, java.lang.String description)
          Deprecated.  
 java.lang.String createPolicyWithTarget(java.lang.String policyID, java.lang.String description, java.lang.String target)
          Creates an empty policy containing target as provided.
 java.lang.String evaluateRequest(java.lang.String xacmlRequest)
          Method constructs XACML request from XML passed as request and applies xacml request against policies stored in policy storage @see PolicyFactory.
 java.lang.String generateRequest(java.security.cert.X509Certificate targetSubjectCertificate)
           
 java.util.ArrayList<java.lang.String> getActionAttributes()
          These attributes can be used in XACML policies, requests and rules.
 java.util.ArrayList<CommunicationAddress> getFilteredResources()
          Deprecated.  
 java.lang.String getHandledEventType()
           
 java.util.ArrayList<java.lang.String> getResourceAttributes()
          These attributes can be used in XACML policies, requests and rules.
 java.lang.Boolean getResultFromResMngProcess(ReturnMessage retMsg)
          Deprecated.  
 java.lang.Object getResultsFromResMng(java.util.ArrayList<CommunicationAddress> list)
          Deprecated.  
 java.util.ArrayList<java.lang.String> getSubjectAttributes()
          These attributes can be used in XACML policies, requests and rules.
 void handleEvent(java.lang.Object event)
           
 void init()
          Initialization of Policy Decision Point
 java.lang.String listFilteredPolicy(java.lang.String xacmlRequest)
          Returns a policy comprising rules which comply with the request passed as an argument.
 java.lang.String listFilteredPolicyCert(java.security.cert.X509Certificate targetSubjectCertificate)
          Lists policies which apply to certificate provided.
 java.util.ArrayList<java.lang.String> listPolicies(java.security.cert.X509Certificate userCtx)
          Note that list of all policies can be very large.
 java.lang.Object listPoliciesHandler(java.util.ArrayList<java.lang.String> alPolicies)
          Executed as a consequence of the VOPS#listPolicies() method.
 java.lang.String listPolicy(java.lang.String policyId, java.security.cert.X509Certificate userCtx)
          Lists specific policy with policyId.
 java.lang.String listVoAdmins()
          Lists registered VO administrators.
protected  ResourceMatching makePolicyDecision(java.util.HashMap<CommunicationAddress,java.security.cert.X509Certificate> resourceCerts, VOPSStorage storage)
           
 java.lang.String obtainFilterPolicyAEM(java.lang.Object xosUserCert, java.lang.String jsdlContent, java.lang.String action)
          Obtains policy which will be used in resource discovery system as a filter (it will help to narrow down possible resource nodes).
 ResourceMatching policyEnforceRequestCertificateCatcher(RCASignedResponse response)
          Refers to verifyPolicyAEM(Object, ResourceMatching, String).
 ResourceMatching policyEnforceRequestCertificateCatcherFailure(java.lang.Exception err)
          Catches failures of CDAMng.getResourceCertificate call.
 java.lang.Boolean registerVoAdmin(java.security.cert.X509Certificate voAdminsCert)
          Adds certificate passed as an argument into a list of trusted certificates (VO admins list).
 java.lang.Boolean registerVOPSToGlobalVOPS(CommunicationAddress address, java.security.cert.X509Certificate certificate)
          This registers VOPS to global VOPS service where decisions are made.
 java.lang.Boolean reloadVOPS(java.security.cert.X509Certificate userCtx)
          Reloads all policies stored in policy storage.
 java.lang.Boolean removePolicy(java.lang.String policyId, java.security.cert.X509Certificate userCtx)
          Policy with policyId will be removed from policy storage.
 java.lang.Boolean removeRuleFromPolicy(java.lang.String ruleId, java.lang.String policyId, java.security.cert.X509Certificate userCtx)
          Removes rule from policy with specified policyId.
 java.lang.Boolean unregisterVoAdmin(java.lang.Integer index)
          Removes certificate with specified index from a list of trusted certificates.
 ResourceMatching verifyPolicyAEM(java.lang.Object xos_cert, ResourceMatching resources, java.lang.String action)
          Used by AEM framework to check if resources listed in comply with policies stored in VO policy storage PolicyFactory.listPolicies().
 com.sun.xacml.Policy verifyPolicyAemJsdl(java.lang.Object xosUserCert, ResourceMatching resources, java.lang.String jsdlContent, java.lang.String action)
          Verifies if request is permitted.
 ResourceMatching verifyPolicyCertRes(java.security.cert.X509Certificate xos_cert, ResourceMatching resources)
          This method is called by consequence of the verifyPolicyAEM(Object, ResourceMatching, String) method.
 java.lang.Object verifyPolicyCertResHandle(ResourceMatching returnedResMatching)
          This callback gets filtered resources based on query which was submitted by verifyPolicyCertRes.
 java.lang.Boolean writeBack(java.security.cert.X509Certificate userCtx)
          Writes back policies from policy storage in PolicyFactory on to local disk.
 
Methods inherited from class eu.xtreemos.system.eventmachine.stage.Abstract2wayStage
getContext, removeContext, SendException, SendException, SendException, SendReply, SendReply, SendReply, setSink
 
Methods inherited from class eu.xtreemos.system.eventmachine.stage.AbstractReceivingStage
dequeue, getSource
 
Methods inherited from class eu.xtreemos.system.eventmachine.stage.AbstractStage
addHandler, addHandler, addServiceListener, getName, getShortName, getThreadCount, notifyServiceInitialised, notifyServiceStarted, notifyServiceStopped, processEvent, removeHandler, removeServiceListener, setThreadCount, start, stop
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

serviceTrustStore

private ServiceTrustStore serviceTrustStore
This stores certificates in which we trust.


delim

private java.lang.String delim

logger

static final org.apache.log4j.Logger logger

listOfVoAdminCerts

private java.util.ArrayList<java.security.cert.X509Certificate> listOfVoAdminCerts

isGlobalVOPS

private boolean isGlobalVOPS

listOfRegisteredVOPS

private java.util.HashMap<CommunicationAddress,java.security.cert.X509Certificate> listOfRegisteredVOPS

vopsConfig

private CVOPSConfig vopsConfig

isUpToDate

private boolean isUpToDate

pdp

private SimplePDP pdp
Policy Decision Point

Constructor Detail

VOPS

public VOPS()
Method Detail

registerVoAdmin

public java.lang.Boolean registerVoAdmin(java.security.cert.X509Certificate voAdminsCert)
Adds certificate passed as an argument into a list of trusted certificates (VO admins list). This method is used as a base of access control.

Parameters:
voAdminsCert - certificate to add into a list of trusted certificates. See also X509Certificate.
Returns:
true on success.

unregisterVoAdmin

public java.lang.Boolean unregisterVoAdmin(java.lang.Integer index)
Removes certificate with specified index from a list of trusted certificates.

Parameters:
voAdminsCert -
Returns:
true on success

listVoAdmins

public java.lang.String listVoAdmins()
Lists registered VO administrators.

Returns:
list in a instance of String.

obtainFilterPolicyAEM

public java.lang.String obtainFilterPolicyAEM(java.lang.Object xosUserCert,
                                              java.lang.String jsdlContent,
                                              java.lang.String action)
                                       throws java.lang.Exception
Obtains policy which will be used in resource discovery system as a filter (it will help to narrow down possible resource nodes).

Parameters:
xosUserCert - user certificate (instance of X509Certificate).
jsdlContent - content of the JSDL document.
action - If action is null, action attribute is by default submit job.
Returns:
Throws:
java.lang.Exception

verifyPolicyAemJsdl

public com.sun.xacml.Policy verifyPolicyAemJsdl(java.lang.Object xosUserCert,
                                                ResourceMatching resources,
                                                java.lang.String jsdlContent,
                                                java.lang.String action)
Verifies if request is permitted. Request is constricted from xos user certificate, jsdl, action and resources, which are provided by resource discovery system (forwarded by AEM).

Parameters:
xosUserCert - user certificate (instance of X509Certificate).
resources - list of potential compliant resource, see also ResourceMathching class.
jsdlContent - content of the JSDL document.
action - If action is null, action attribute is by default submit job.
Returns:

verifyPolicyAEM

public ResourceMatching verifyPolicyAEM(java.lang.Object xos_cert,
                                        ResourceMatching resources,
                                        java.lang.String action)
                                 throws java.lang.Exception
Used by AEM framework to check if resources listed in comply with policies stored in VO policy storage PolicyFactory.listPolicies().

Parameters:
xos_cert - instance of X509Certificate.
resources - list of potential compliant resource, see also ResourceMathching class.
action - String used to denote the action taken by the user over resources. Use constants declared inside XACMLConstants.Action.
Returns:
instance of ResourceMatching, also includes digital signature, see ResourceMatching.setSignature(byte[])and ResourceMatching.getSignature().
Throws:
java.lang.Exception

policyEnforceRequestCertificateCatcherFailure

public ResourceMatching policyEnforceRequestCertificateCatcherFailure(java.lang.Exception err)
                                                               throws java.lang.Exception
Catches failures of CDAMng.getResourceCertificate call.

Parameters:
err -
Returns:
instance if the Exception.
Throws:
java.lang.Exception

policyEnforceRequestCertificateCatcher

public ResourceMatching policyEnforceRequestCertificateCatcher(RCASignedResponse response)
                                                        throws java.lang.Exception
Refers to verifyPolicyAEM(Object, ResourceMatching, String). It catches all resource attribute certificates and adds them into list VOPSStorage.alResources. When all certificates are obtained, call to verifyPolicyCertRes(X509Certificate, ResourceMatching) is made.

Parameters:
cert - is a returned certificate from RCA Client
Returns:
instance of the ResourceMatching object. It contains a list of all potential resource nodes.
Throws:
java.lang.Exception

makePolicyDecision

protected ResourceMatching makePolicyDecision(java.util.HashMap<CommunicationAddress,java.security.cert.X509Certificate> resourceCerts,
                                              VOPSStorage storage)
                                       throws java.lang.Exception
Throws:
java.lang.Exception

verifyPolicyCertRes

public ResourceMatching verifyPolicyCertRes(java.security.cert.X509Certificate xos_cert,
                                            ResourceMatching resources)
                                     throws java.lang.Exception
This method is called by consequence of the verifyPolicyAEM(Object, ResourceMatching, String) method. Enforces policies - generates XACML request for each of the resource and checks it against policies residing in policy storage, see PolicyFactory.listPolicies().

Parameters:
xos_cert - User certificate which has been stored in VOPSStorage
resources - are collection from process of resource mathcing, see ResourceMatching.
Returns:
instance of the ResourceMatching object. It contains a list of all potential resource nodes.
Throws:
java.lang.Exception

verifyPolicyCertResHandle

public java.lang.Object verifyPolicyCertResHandle(ResourceMatching returnedResMatching)
This callback gets filtered resources based on query which was submitted by verifyPolicyCertRes. See also verifyPolicyAEM(Object, ResourceMatching, String).

Parameters:
returnedResMatching -
Returns:
always null

createPolicy

public java.lang.String createPolicy(java.lang.String policyID,
                                     java.lang.String description)
                              throws java.lang.Exception
Deprecated. 

A new policy file is created in policy storage using static PolicyFactory class. Policy has policyID, description.

Parameters:
policyID - Id of new policy created
description - of new policy
Returns:
String policy as String instance.
Throws:
java.lang.Exception

createPolicyWithTarget

public java.lang.String createPolicyWithTarget(java.lang.String policyID,
                                               java.lang.String description,
                                               java.lang.String target)
                                        throws java.lang.Exception
Creates an empty policy containing target as provided.

Parameters:
policyID - policy's id
description - description of the policy
target - target upon whom this policy apply
Returns:
policy created
Throws:
java.lang.Exception

removePolicy

public java.lang.Boolean removePolicy(java.lang.String policyId,
                                      java.security.cert.X509Certificate userCtx)
                               throws java.lang.Exception
Policy with policyId will be removed from policy storage.

Parameters:
policyId -
userCtx - certificate of the subject executing this call.
Returns:
true on success
Throws:
instance - of Exception, error from PolicyFactory.removePolicy(String).
java.lang.Exception

listPolicies

public java.util.ArrayList<java.lang.String> listPolicies(java.security.cert.X509Certificate userCtx)
                                                   throws java.lang.Exception
Note that list of all policies can be very large. See also listFilteredPolicy(String) and VOPS#listPolicy(String).

Parameters:
userCtx - certificate of the subject executing this call.
Returns:
ArrayList of XACML policies as ArrayList of strings.
Throws:
java.lang.Exception

listPoliciesHandler

public java.lang.Object listPoliciesHandler(java.util.ArrayList<java.lang.String> alPolicies)
Executed as a consequence of the VOPS#listPolicies() method. Catches global VOPS' reply of the policies and returns it to the client or server side.

Parameters:
alPolicies - list of XACML policies
Returns:
always null

listPolicy

public java.lang.String listPolicy(java.lang.String policyId,
                                   java.security.cert.X509Certificate userCtx)
                            throws java.lang.Exception
Lists specific policy with policyId. Returns XACML policy as String object.

Parameters:
policy - id.
userCtx - certificate of the subject executing this call.
Returns:
XACML policy as a string.
Throws:
java.lang.Exception

addPolicy

public java.lang.Boolean addPolicy(java.lang.String xacmlPolicy,
                                   java.security.cert.X509Certificate userCtx)
                            throws java.lang.Exception
Adds XACML policy into policy storage.

Parameters:
Policy - in XML passed as string (XACML format).
userCtx - certificate of the subject executing this call.
Returns:
true on success.
Throws:
java.lang.Exception

addRule

public java.lang.String addRule(java.lang.String ruleXML,
                                java.lang.String policyId)
                         throws java.lang.Exception
Adds rule which is passed as XML string to the policy identified by policyId. Returns rule as String object. See also VOPS#addXACMLRule(String, String), where rule is passed in a XACML format.

Parameters:
ruleXML - description of the rule.
policyId - defines destination policy.
Returns:
XACML rule as a string.
Throws:
java.lang.Exception

addXACMLRule

public java.lang.String addXACMLRule(java.lang.String ruleXACML,
                                     java.lang.String policyId,
                                     java.security.cert.X509Certificate userCtx)
                              throws java.lang.Exception
Adds rule which is passed as XML string in XACML format to the policy identified by policyId.Returns rule created as String object.

Parameters:
ruleXACML - XACML string presenting rule to be added to policy
policyId - identifies to which type of policies are we this rule.
userCtx - certificate of the subject executing this call.
Returns:
rule in a XACML format as a String.
Throws:
java.lang.Exception

listFilteredPolicy

public java.lang.String listFilteredPolicy(java.lang.String xacmlRequest)
Returns a policy comprising rules which comply with the request passed as an argument.

Parameters:
xacmlRequest - XACML request which is applied to policies residing in PolicyFactory.
Returns:
XACML Policy comprising rules, which apply to xacmlReqeust.

listFilteredPolicyCert

public java.lang.String listFilteredPolicyCert(java.security.cert.X509Certificate targetSubjectCertificate)
Lists policies which apply to certificate provided.

Parameters:
targetSubject -
Returns:

generateRequest

public java.lang.String generateRequest(java.security.cert.X509Certificate targetSubjectCertificate)

evaluateRequest

public java.lang.String evaluateRequest(java.lang.String xacmlRequest)
                                 throws java.lang.Exception
Method constructs XACML request from XML passed as request and applies xacml request against policies stored in policy storage @see PolicyFactory.

Parameters:
request - String presenting XACMl request
Returns:
XML file presenting XACML reply (see XACML 1.0 core specifications for more details ).
Throws:
java.lang.Exception

removeRuleFromPolicy

public java.lang.Boolean removeRuleFromPolicy(java.lang.String ruleId,
                                              java.lang.String policyId,
                                              java.security.cert.X509Certificate userCtx)
                                       throws java.lang.Exception
Removes rule from policy with specified policyId.

Parameters:
ruleId - Rule which will be removed from policy.
policyId - policy from which this rule is removed.
userCtx - certificate of the subject executing this call.
Returns:
true on success.
Throws:
java.lang.Exception

writeBack

public java.lang.Boolean writeBack(java.security.cert.X509Certificate userCtx)
                            throws java.lang.Exception
Writes back policies from policy storage in PolicyFactory on to local disk.

Parameters:
userCtx - certificate of the subject executing this call.
Returns:
true on success.
Throws:
java.lang.Exception

reloadVOPS

public java.lang.Boolean reloadVOPS(java.security.cert.X509Certificate userCtx)
                             throws java.lang.Exception
Reloads all policies stored in policy storage.

Parameters:
userCtx - certificate of the subject executing this call.
Returns:
true on success
Throws:
java.lang.Exception

getResultsFromResMng

public java.lang.Object getResultsFromResMng(java.util.ArrayList<CommunicationAddress> list)
Deprecated. 

Always returns null due to asynchronous call to VOPS. Callback function: catches results from resource manager.

Parameters:
list -
Returns:
always null

getResultFromResMngProcess

public java.lang.Boolean getResultFromResMngProcess(ReturnMessage retMsg)
Deprecated. 

Get answers from other nodes. Store answer into current context as pairs (address,isPermitted).

Parameters:
retMsg -
Returns:

getFilteredResources

public java.util.ArrayList<CommunicationAddress> getFilteredResources()
Deprecated. 

Return list of filtered addresses where execution is permitted.

Returns:
list of addressses

registerVOPSToGlobalVOPS

public java.lang.Boolean registerVOPSToGlobalVOPS(CommunicationAddress address,
                                                  java.security.cert.X509Certificate certificate)
This registers VOPS to global VOPS service where decisions are made.

Parameters:
address - VOPS address to register
certificate - of the VOPS
Returns:

getSubjectAttributes

public java.util.ArrayList<java.lang.String> getSubjectAttributes()
These attributes can be used in XACML policies, requests and rules.

Returns:
an ArrayList containing subject attributes.

getResourceAttributes

public java.util.ArrayList<java.lang.String> getResourceAttributes()
These attributes can be used in XACML policies, requests and rules.

Returns:
an ArrayList containing resource attributes.

getActionAttributes

public java.util.ArrayList<java.lang.String> getActionAttributes()
These attributes can be used in XACML policies, requests and rules.

Returns:
an ArrayList containing action attributes.

init

public void init()
Initialization of Policy Decision Point

Specified by:
init in interface eu.xtreemos.system.eventmachine.stage.IStage
Overrides:
init in class eu.xtreemos.system.eventmachine.stage.AbstractStage

getHandledEventType

public java.lang.String getHandledEventType()
Specified by:
getHandledEventType in class eu.xtreemos.system.eventmachine.stage.AbstractReceivingStage

handleEvent

public void handleEvent(java.lang.Object event)
                 throws java.lang.Exception
Specified by:
handleEvent in interface eu.xtreemos.system.eventmachine.queue.IEventHandler
Specified by:
handleEvent in class eu.xtreemos.system.eventmachine.stage.AbstractReceivingStage
Throws:
java.lang.Exception