package com.nailabs.abac.credential; import java.util.*; import com.nailabs.abac.process.FrontierManager; import com.nailabs.abac.process.AckPolicy; import com.nailabs.abac.process.AckFact; import com.nailabs.abac.process.ACPolicy; import com.nailabs.abac.process.ResourcePolicy; import edu.stanford.peer.rbtm.credential.Entity; import edu.stanford.peer.rbtm.credential.EntityExpression; import edu.stanford.peer.rbtm.credential.RoleName; import edu.stanford.peer.rbtm.credential.SimpleRoleName; import edu.stanford.peer.rbtm.credential.StaticCredential; import edu.stanford.peer.rbtm.engine.Simp; import edu.stanford.peer.rbtm.engine.Sens; import edu.stanford.peer.rbtm.engine.Oppo; import edu.stanford.rt.credential.*; import edu.stanford.rt.parser.RTParser; import edu.stanford.rt.util.Constants; /** * A frontier manager class which uses the application specification * domain for determining whether a rol is issuer traces all, issuer * traces def, etc. */ public class RtmlFrontier extends FrontierManager implements Constants { protected HashMap discoveryConfig; protected ApplicationDomain domain; protected CredentialStore store; protected RTContext context; protected HashID id = null; //protected HashSet issuerTracesAll = new HashSet(); protected HashSet issuerTraces = new HashSet(); //protected HashSet issuerTracesDef = new HashSet(); protected ResourcePolicy resourcePolicy = null; public RtmlFrontier(HashMap config) { String domainName = getApplicationDomainName(config); discoveryConfig = new HashMap(2); // needed for constructing a DDEngine discoveryConfig.put("DDEParser", config.get("DDEParser")); discoveryConfig.put("PrepInfo", config.get("PrepInfo")); discoveryConfig.put("DDEContext", config.get("DDEContext")); store = (CredentialStore)config.get("CredentialStore"); context = (RTContext)config.get("RTContext"); id = new HashID(HashID.APPLICATION_DOMAIN, domainName); domain = context.getApplicationDomain(id); init(config); } /** specialized init method for accessing the credential store backends */ public void init(HashMap config) { // (0) get the configurations entity identifier this.self =(Entity) config.get("EntityID"); // (1) load acknowledgement(ACK) policy ackPolicy = (AckPolicy)config.get("AckPolicy"); // (2) load access control (AC) policy acPolicy = (ACPolicy)config.get("AccessControl"); // (2 and 1/2) load the resource policy resourcePolicy = (ResourcePolicy)config.get("ResourcePolicy"); // (3) load issuer traceable roles // (4) load subject traceale roles parseRoleDeclarations(config); // (5) construct sensitive roles predicate from the ack policy Sens sens = new Sens(ackPolicy.getSensitiveRoles()); // (6) construct opponent predicate from the issuer traceable roles Oppo oppo = new Oppo(new Vector(issuerTracesDef)); oppo.addSubjects(new Vector(issuerTracesAll)); // TBD: Does this really need to be separated into two mutually // exclusive credential sets? And in this case we have three // credential stores (the primordial, issuer-traces, and // subject-traces). // (8) separate policy reachable credentials // (9) separate self reachable credentials CredentialStore store = (CredentialStore)config.get("CredentialStore"); CredentialStore subjectStore = null, issuerStore = null; try { RTParser parser = new RTParser(); subjectStore = new CredentialStore(parser); issuerStore = new CredentialStore(parser); Iterator domains = store.getCredentialDomains().values().iterator(); while(domains.hasNext()) { CredentialDomain domain = (CredentialDomain)domains.next(); RoleDefinition def = (RoleDefinition)domain.roleDefinitionIterator().next(); RoleName roleName = new SimpleRoleName(def.getHead().getName()); if(isIssuerTraceable(roleName)) { issuerStore.addCredentialDomain(domain.getHashID(),domain); } else { //if(isSubjectTraceable(roleName)) { subjectStore.addCredentialDomain(domain.getHashID(),domain); } // It is possible that credential may fall through to here. We // propbably just remove the second if-statement... } } catch (Exception ex) { ex.printStackTrace(); } // (7) construct the frontier functions with their predicates oppoLocal = new RtmlEngine(issuerStore); System.out.println("------> Sensitive Graph"); sensFrontier = new RtmlEngine(subjectStore, sens); System.out.println("------> Opponent Graph"); oppoFrontier = new RtmlEngine(issuerStore, oppo); System.out.println("------> Simple Graph"); simpFrontier = new RtmlEngine(subjectStore, new Simp()); // perform credential discovery here DDEngine selfTraceable = discoverSelfTraceable(); DDEngine policyTraceable = discoverPolicyTraceable(); // TBD: add backwards compatibility check in here if necessary // which would avoid discovery ((RtmlEngine)oppoLocal).importDomains(policyTraceable); ((RtmlEngine)sensFrontier).importDomains(selfTraceable); ((RtmlEngine)oppoFrontier).importDomains(policyTraceable); ((RtmlEngine)simpFrontier).importDomains(selfTraceable); } protected String getApplicationDomainName(HashMap config) { Properties props = (Properties)config.get("RTML"); return props.getProperty("ApplicationDomain"); } protected OrderedMap getRoleDeclarations() { try { return domain.getRoleDeclarations(); } catch(Exception ex) { ex.printStackTrace(); } return null; } public DDEngine discoverPolicyTraceable() { Iterator ackValues = ackPolicy.getRequiredRoles().iterator(); Iterator acValues = acPolicy.getRequiredRoles().iterator(); Iterator resourceValues = resourcePolicy.getRequiredRoles().iterator(); DDEngine discoveryEngine = new DDEngine(discoveryConfig); HashSet policySet = new HashSet(); while(ackValues.hasNext()) { AckFact ackVal = (AckFact)ackValues.next(); policySet.add(ackVal.getRequirement()); } while(acValues.hasNext()) { EntityExpression acVal = (EntityExpression)acValues.next(); policySet.add(acVal); } while(resourceValues.hasNext()) { EntityExpression resourceVal = (EntityExpression)resourceValues.next(); policySet.add(resourceVal); } Iterator randomRoles = policySet.iterator(); while(randomRoles.hasNext()) { EntityExpression random = (EntityExpression)randomRoles.next(); discoveryEngine.backwardSearch(random); } return discoveryEngine; } public DDEngine discoverSelfTraceable() { HashSet selfSet = new HashSet(); Iterator mySensRoles = ackPolicy.getSensitiveRoles().iterator(); DDEngine discoveryEngine = new DDEngine(discoveryConfig); //RtmlEngine local = new RtmlEngine(store); //find all the credentials which have roles that map directly to self Iterator myRoles = oppoFrontier.findCredentialsBySubject(self); while(myRoles.hasNext()) { RtmlCredential cred = (RtmlCredential)myRoles.next(); EntityExpression me = cred.getDefinedRole(); selfSet.add(me); } myRoles = sensFrontier.findCredentialsBySubject(self); while(myRoles.hasNext()) { RtmlCredential cred = (RtmlCredential)myRoles.next(); EntityExpression me = cred.getDefinedRole(); selfSet.add(me); } //add the sensitive roles to the initial search set while(mySensRoles.hasNext()) { EntityExpression sense = (EntityExpression)mySensRoles.next(); selfSet.add(sense); } //perform forward searches on the pseudo-random set of roles Iterator randomRoles = selfSet.iterator(); while(randomRoles.hasNext()) { EntityExpression random = (EntityExpression)randomRoles.next(); discoveryEngine.forwardSearch(random); } return discoveryEngine; } protected void parseRoleDeclarations(HashMap config) { // TBD: revisit to make this more robust in case an error occurs. // it should not necessarily bail out of all role processing try { OrderedMap map = getRoleDeclarations(); Iterator keys = map.keyIterator(); System.out.println("Frontier parsing role declaratons"); while(keys.hasNext()) { RoleDeclaration role = (RoleDeclaration)map.get(keys.next()); System.out.println("role = " + role.getName()); parseRoleDeclaration(role); System.out.println(); } } catch(Exception ex) { ex.printStackTrace(); } System.out.println("End declaration parsing!"); config.put("IssuerTracesAll", issuerTracesAll); config.put("IssuerTracesDef", issuerTracesDef); config.put("SubjectTraceable", subjectTraces); } protected void parseRoleDeclaration(RoleDeclaration declaration) { int issuerValue = declaration.getIssuerTracesType(); int subjectValue = declaration.getSubjectTracesType(); if(issuerValue == ISSUER_TRACES_ALL) { issuerTracesAll.add(declaration.getName()); System.out.print("issuer_traces_all"); } if(issuerValue == ISSUER_TRACES_DEF) { issuerTracesDef.add(declaration.getName()); System.out.print("issuer_traces_def"); } if(subjectValue == SUBJECT_TRACES_ALL) { subjectTraces.add(declaration.getName()); System.out.print("subject_traces_all"); } } private RoleDeclaration getRoleDeclaration(RoleName role) { try { System.out.println("id = " + id); return domain.lookupRoleDeclaration(role.getName()); } catch(Exception ex) { ex.printStackTrace(); } return null; } /** Is the specified credential policy traceable? */ public boolean isPolicyTraceable(StaticCredential cred) { return isIssuerTraceable(cred.getDefinedRole().getName()); } /** Can the specified credential be traced back to this negotiator? */ public boolean isSelfReachable(StaticCredential cred) { return isSubjectTraceable(cred.getDefinedRole().getName()); } public boolean isIssuerTraceable(RoleName role) { int value = getRoleDeclaration(role).getIssuerTracesType(); return (value == ISSUER_TRACES_ALL || value == ISSUER_TRACES_DEF); } public boolean isIssuerTracesAll(RoleName role) { int value = getRoleDeclaration(role).getIssuerTracesType(); return (value == ISSUER_TRACES_ALL); } public boolean isIssuerTracesDef(RoleName role) { int value = getRoleDeclaration(role).getIssuerTracesType(); return (value == ISSUER_TRACES_DEF); } public boolean isSubjectTraceable(RoleName role) { int value = getRoleDeclaration(role).getSubjectTracesType(); return (value == SUBJECT_TRACES_ALL); } public boolean subjectTracesAll(RoleName role) { int value = getRoleDeclaration(role).getSubjectTracesType(); return (value == SUBJECT_TRACES_ALL); } }