Class SigningPolicyParser
- java.lang.Object
-
- org.globus.gsi.SigningPolicyParser
-
public class SigningPolicyParser extends java.lang.Object
Signing policy BCNF grammar as implemented here: (based on C implementation)eacl ::= {eacl_entry}
eacl_entry ::= {access_identity} pos_rights {restriction} {pos_rights {restriction}} | {access_identity} neg_rights
access_identity ::= access_identity_type def_authority value
access_identity_type ::= "access_id_HOST" | "access_id_USER" | "access_id_GROUP" | "access_id_CA" | "access_id_APPLICATION" | "access_id_ANYBODY"
pos_rights ::= "pos_rights" def_authority value {"pos_rights" def_authority value}
neg_rights ::= "neg_rights" def_authority value {"neg_rights" def_authority value}
restriction ::= condition_type def_authority value
condition_type ::= alphanumeric_string
def_authority ::= alphanumeric_string
value ::= alphanumeric_stringThis class take a signing policy file as input and parses it to extract the policy that is enforced. Only the following policy is enforced: access_id_CA with defining authority as X509 with CA DN as value. Any positive rights following it with globus as defining authority and value CA:sign. Lastly, restriction "cond_subjects" with globus as defining authority and the DNs the CA is authorized to sign. restrictions are assumed to start with cond_. Order of rights matter, so the first occurance of CA:Sign with allowedDNs is used and rest of the policy is ignored.
For a given signing policy file, only policy with the particular CA's DN is parsed.
subject names may include the following wildcard characters: * Matches zero or any number of characters. ? Matches any single character.
All subject names should be in Globus format, with slashes and should NOT be revered.
The allowed DN patterns are returned as a vector of java.util.regexp.Pattern. The BCNF grammar that uses wildcard (*) and single character (?) are replaced with the regexp grammar needed by the Pattern class.
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
ACCESS_ID_CA
static java.lang.String
ACCESS_ID_PREFIX
(package private) static java.lang.String[]
ALLOWED_LINE_START
static java.lang.String
CONDITION_PREFIX
static java.lang.String
CONDITION_SUBJECT
static java.lang.String
DEF_AUTH_GLOBUS
static java.lang.String
DEF_AUTH_X509
private org.apache.commons.logging.Log
logger
private static int
MIN_TOKENS_PER_LINE
static java.lang.String
NEG_RIGHTS
static java.lang.String
POS_RIGHTS
static java.lang.String
SINGLE_CHAR
static java.lang.String
SINGLE_PATTERN
static java.lang.String
VALUE_CA_SIGN
static java.lang.String
WILDCARD
static java.lang.String
WILDCARD_PATTERN
-
Constructor Summary
Constructors Constructor Description SigningPolicyParser()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description private void
checkRights(java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> policies, java.io.BufferedReader bufferedReader, java.lang.String caDN, boolean usefulEntry, java.lang.Boolean posNegRights)
private void
cleanupReaders(java.io.Reader reader, java.io.BufferedReader bufferedReader)
private int
findIndex(java.lang.String line)
private java.util.Vector<java.util.regex.Pattern>
getAllowedDNs(java.lang.String line)
private java.lang.String
getCA(java.lang.String inputLine)
private java.lang.String
getCaDN(java.lang.String line, java.lang.String caDN)
static java.util.regex.Pattern
getPattern(java.lang.String patternStr)
Method that takes a pattern string as described in the signing policy file with * for zero or many characters and ? for single character, and converts it into java.util.regexp.Pattern object.private boolean
handleConditionalLine(java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> policies, java.lang.String line, java.lang.String caDN, boolean usefulEntry, java.lang.Boolean posNegRights)
private java.lang.Boolean
handleNegativeRights(java.lang.Boolean posNegRights)
private boolean
isCASignRight(java.lang.String line)
private boolean
isUsefulEntry(java.lang.String line)
private boolean
isValidLine(java.lang.String line)
java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy>
parse(java.io.Reader reader)
Parses input stream to extract signing policy defined for CA with the specified DN.java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy>
parse(java.lang.String fileName)
Parses the file to extract signing policy defined for CA with the specified DN.private void
validatePositiveRights(java.lang.Boolean posNegRights)
-
-
-
Field Detail
-
ACCESS_ID_PREFIX
public static final java.lang.String ACCESS_ID_PREFIX
- See Also:
- Constant Field Values
-
ACCESS_ID_CA
public static final java.lang.String ACCESS_ID_CA
- See Also:
- Constant Field Values
-
DEF_AUTH_X509
public static final java.lang.String DEF_AUTH_X509
- See Also:
- Constant Field Values
-
DEF_AUTH_GLOBUS
public static final java.lang.String DEF_AUTH_GLOBUS
- See Also:
- Constant Field Values
-
POS_RIGHTS
public static final java.lang.String POS_RIGHTS
- See Also:
- Constant Field Values
-
NEG_RIGHTS
public static final java.lang.String NEG_RIGHTS
- See Also:
- Constant Field Values
-
CONDITION_PREFIX
public static final java.lang.String CONDITION_PREFIX
- See Also:
- Constant Field Values
-
CONDITION_SUBJECT
public static final java.lang.String CONDITION_SUBJECT
- See Also:
- Constant Field Values
-
VALUE_CA_SIGN
public static final java.lang.String VALUE_CA_SIGN
- See Also:
- Constant Field Values
-
SINGLE_CHAR
public static final java.lang.String SINGLE_CHAR
- See Also:
- Constant Field Values
-
WILDCARD
public static final java.lang.String WILDCARD
- See Also:
- Constant Field Values
-
SINGLE_PATTERN
public static final java.lang.String SINGLE_PATTERN
- See Also:
- Constant Field Values
-
WILDCARD_PATTERN
public static final java.lang.String WILDCARD_PATTERN
- See Also:
- Constant Field Values
-
MIN_TOKENS_PER_LINE
private static final int MIN_TOKENS_PER_LINE
- See Also:
- Constant Field Values
-
ALLOWED_LINE_START
static final java.lang.String[] ALLOWED_LINE_START
-
logger
private org.apache.commons.logging.Log logger
-
-
Method Detail
-
parse
public java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> parse(java.lang.String fileName) throws java.io.FileNotFoundException, SigningPolicyException
Parses the file to extract signing policy defined for CA with the specified DN. If the policy file does not exist, a SigningPolicy object with only CA DN is created. If policy path exists, but no relevant policy exisit, SigningPolicy object with CA DN and file path is created.- Parameters:
fileName
- Name of the signing policy file- Returns:
- SigningPolicy object that contains the information. If no policy is found, SigningPolicy object with only the CA DN is returned.
- Throws:
SigningPolicyException
- Any errors with parsing the signing policy file.java.io.FileNotFoundException
- If the signing policy file does not exist.
-
parse
public java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> parse(java.io.Reader reader) throws SigningPolicyException
Parses input stream to extract signing policy defined for CA with the specified DN.- Parameters:
reader
- Reader to any input stream to get the signing policy information.- Returns:
- signing policy map defined by the signing policy file
- Throws:
SigningPolicyException
- Any errors with parsing the signing policy.
-
checkRights
private void checkRights(java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> policies, java.io.BufferedReader bufferedReader, java.lang.String caDN, boolean usefulEntry, java.lang.Boolean posNegRights) throws java.io.IOException, SigningPolicyException
- Throws:
java.io.IOException
SigningPolicyException
-
handleConditionalLine
private boolean handleConditionalLine(java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> policies, java.lang.String line, java.lang.String caDN, boolean usefulEntry, java.lang.Boolean posNegRights) throws SigningPolicyException
- Throws:
SigningPolicyException
-
getCaDN
private java.lang.String getCaDN(java.lang.String line, java.lang.String caDN) throws SigningPolicyException
- Throws:
SigningPolicyException
-
validatePositiveRights
private void validatePositiveRights(java.lang.Boolean posNegRights) throws SigningPolicyException
- Throws:
SigningPolicyException
-
isUsefulEntry
private boolean isUsefulEntry(java.lang.String line) throws SigningPolicyException
- Throws:
SigningPolicyException
-
handleNegativeRights
private java.lang.Boolean handleNegativeRights(java.lang.Boolean posNegRights) throws SigningPolicyException
- Throws:
SigningPolicyException
-
cleanupReaders
private void cleanupReaders(java.io.Reader reader, java.io.BufferedReader bufferedReader)
-
isValidLine
private boolean isValidLine(java.lang.String line) throws SigningPolicyException
- Throws:
SigningPolicyException
-
getAllowedDNs
private java.util.Vector<java.util.regex.Pattern> getAllowedDNs(java.lang.String line) throws SigningPolicyException
- Throws:
SigningPolicyException
-
isCASignRight
private boolean isCASignRight(java.lang.String line) throws SigningPolicyException
- Throws:
SigningPolicyException
-
getCA
private java.lang.String getCA(java.lang.String inputLine) throws SigningPolicyException
- Throws:
SigningPolicyException
-
getPattern
public static java.util.regex.Pattern getPattern(java.lang.String patternStr)
Method that takes a pattern string as described in the signing policy file with * for zero or many characters and ? for single character, and converts it into java.util.regexp.Pattern object. This requires replacing the wildcard characters with equivalent expression in regexp grammar.- Parameters:
patternStr
- Pattern string as described in the signing policy file with for zero or many characters and ? for single character- Returns:
- Pattern object with the expression equivalent to patternStr.
-
findIndex
private int findIndex(java.lang.String line)
-
-