package com.nailabs.abac.process; import com.nailabs.abac.test.Debug; import com.nailabs.abac.credential.RtmlFrontier; import edu.stanford.peer.rbtm.credential.*; import edu.stanford.peer.rbtm.engine.*; import edu.stanford.peer.rbtm.test.*; import edu.stanford.peer.rbtm.util.*; import java.util.*; /** * A manager class for frontier functions. Each set of functions should * be unique to a principal. The manager is a singleton object with a method * for obtaining a set of specific frontiers. */ public class FrontierManager extends com.nailabs.abac.test.TestEngine implements java.io.Serializable { /** Singleton reference table for sharing frontiers. */ static Hashtable frontiers = new Hashtable(5); /** The principal identifier, which is an Entity name */ protected Entity self; /** * The configuration hashmap. Section name is key and stringified * line vectors are the values */ protected HashMap conf; /** The set of issuer traceable credentials */ protected HashSet cSuperI = new HashSet(); /** The set of subject traceable credentials */ protected HashSet cSuperS = new HashSet(); /** The set of subject traceable roles */ protected HashSet subjectTraces = new HashSet(); protected HashSet issuerTracesDef = new HashSet(); protected HashSet issuerTracesAll = new HashSet(); /** a search engine which uses the oppo() predicate */ protected GraphEngine oppoLocal; /** a search engine which uses the oppo() predicate */ protected GraphEngine oppoFrontier; /** a search engine which uses the sens() predicate */ protected GraphEngine sensFrontier; /** a search engine which uses the simp() predicate */ protected GraphEngine simpFrontier; /** the acknowledgement policy for this principal entity */ protected AckPolicy ackPolicy; /** the access control policy for this principal entity */ protected ACPolicy acPolicy; /** constructor for subclasses */ protected FrontierManager() { } /** default constructor, only used internally */ protected FrontierManager(HashMap config) { init(config); } /** * initialization is no longer in constructor, so subclasses can * manipulate the configuration hash map. */ protected void init(HashMap config) { //int track = TRACK_ALL; // (0) get the configurations entity identifier this.self =(Entity) config.get("EntityID"); // (1) load acknowledgement(ACK) policy ackPolicy = (AckPolicy)config.get("AckPolicy"); // (2) load access control (AC) policy acPolicy = (ACPolicy)config.get("AccessControl"); // (3) load issuer traceable roles issuerTracesAll = (HashSet)config.get("IssuerTracesAll"); issuerTracesDef = (HashSet)config.get("IssuerTracesDef"); // (4) load subject traceale roles subjectTraces = (HashSet)config.get("SubjectTraceable"); // (5) construct sensitive roles predicate from the ack policy Sens sens = new Sens(ackPolicy.getSensitiveRoles()); // (6) construct opponent predicate from the issuer traceable roles Oppo oppo = new Oppo(new Vector(issuerTracesDef)); oppo.addSubjects(new Vector(issuerTracesAll)); // (7) construct the frontier functions with their predicates oppoLocal = new GraphEngine(); //System.out.println("------> Sensitive Graph"); sensFrontier = new GraphEngine(sens); //System.out.println("------> Opponent Graph"); oppoFrontier = new GraphEngine(oppo); //System.out.println("------> Simple Graph"); simpFrontier = new GraphEngine(new Simp()); // TBD: Does this really need to be separated into two mutually exclusive // credential sets? // (8) add policy reachable credentials System.out.println("------> Policy Reachable"); HashSet policyReachable = (HashSet)config.get("PolicyReachable"); Iterator ci = policyReachable.iterator(); while(ci.hasNext()) { addPolicyReachable((StaticCredential)ci.next()); } // (9) add self reachable credentials System.out.println("------> Self Traceable"); HashSet selfReachable = (HashSet)config.get("SelfReachable"); Iterator cs = selfReachable.iterator(); while(cs.hasNext()) { addSelfReachable((StaticCredential)cs.next()); } } public static void addFrontier(HashMap config) { Entity key = (Entity)config.get("EntityID"); boolean hasRTML = config.containsKey("RTML"); System.out.println("Begin Configuration for " + key); if(frontiers.contains(key.toString())) System.out.println("WARNING overwriting frontier manager for " + key); FrontierManager frontier = hasRTML? new RtmlFrontier(config): new FrontierManager(config); frontiers.put(key.toString(), frontier); System.out.println("End Configuration for " + key); } /** public instance accessor method for a specific frontier set */ public static FrontierManager getFrontier(Entity self) { System.out.println("self = " + self); FrontierManager instance = (FrontierManager)frontiers.get(self.toString()); return instance; } /** public accessor for a list of instance keys */ public static Set getFrontiers() { return frontiers.keySet(); } /** the unique identifier for this set of frontier functions */ public Entity getSelf() { return self; } /** Extract the role name from a role expression (e.g. r from ) */ protected RoleName getRoleName(StaticCredential cred) { return getRoleName(cred.getDefinedRole()); } /** Extract the role name from a role expression (e.g. r from A.r) */ protected RoleName getRoleName(EntityExpression expr) { if(expr != null && (expr instanceof Role)) { return ((Role)expr).getName(); } return null; } /** adds an issuer traceable credential to the frontier set */ public void addSelfReachable(StaticCredential cred) { if(isSubjectTraceable(getRoleName(cred))) { sensFrontier.addCredential(cred); simpFrontier.addCredential(cred); cSuperS.add(cred); } } /** extracts issuer traceable roles from the credntial */ public void addPolicyReachable(StaticCredential cred) { if(isIssuerTraceable(getRoleName(cred))) { oppoFrontier.addCredential(cred); oppoLocal.addCredential(cred); cSuperI.add(cred); } } /** adds an issuer-traces-all role to this frontier set */ public void addIssuerTracesAll(RoleName role) { issuerTracesAll.add(role); } /** adds an issuer-traces-def role to this frontier set */ public void addIssuerTracesDef(RoleName role) { issuerTracesDef.add(role); } /** adds an subject traceable credential to the frontier set */ public void addSubjectTraceable(RoleName role) { subjectTraces.add(role); } public ResultEvidenceMap getOppoLocal(EntityExpression expr) { //a specialized backward search for the LinkTTNode Debug.rbtmStart(); System.out.println("-------BEGIN-LOCAL-SEARCH------------"); ResultEvidenceMap map = oppoLocal.backwardSearch(expr); System.out.println("-------END-LOCAL-SEARCH--------------"); Debug.rbtmStop(); return map; } /** gets the frontier of policy traceable roles */ public ResultEvidenceMap getOppoFrontier(EntityExpression expr) { // retrieve solutions AND evidence here Debug.rbtmStart(); System.out.println("-------BEGIN-OPPO-SEARCH------------"); ResultEvidenceMap map = oppoFrontier.backwardSearch(expr); System.out.println("-------END-OPPO-SEARCH--------------"); Debug.rbtmStop(); return map; } /** gets the frontier of sensitive roles */ public ResultEvidenceMap getSensFrontier(EntityExpression expr) { Debug.rbtmStart(); System.out.println("-------BEGIN-SENS-SEARCH------------"); System.out.println("searching for " + expr); ResultEvidenceMap map = sensFrontier.backwardSearch(expr); System.out.println("map = " + map); System.out.println("--------END-SENS-SEARCH-------------"); System.out.flush(); Debug.rbtmStop(); return map; } /** get the frontier of non-role entity expressions */ public ResultEvidenceMap getSimpFrontier(EntityExpression expr) { Debug.rbtmStart(); System.out.println("-------BEGIN-SIMP-SEARCH------------"); ResultEvidenceMap map = simpFrontier.backwardSearch(expr); System.out.println("--------END-SIMP-SEARCH------------"); Debug.rbtmStop(); return map; } public HashSet getOppoChain(EntityExpression root, EntityExpression leaf) { HashSet results = new HashSet(); try { getOppoFrontier(root); Debug.rbtmStart(); System.out.println("Getting oppo chain from " + root + " to " + leaf); results = oppoFrontier.getChain(root, leaf); Debug.rbtmStop(); } catch(Exception ex) { ex.printStackTrace(); } Debug.rbtmStop(); return results; } public HashSet getSensChain(EntityExpression root, EntityExpression leaf) { //if(!getSensFrontier(root).containsResult(leaf)) { //return null; //} try { getSensFrontier(root); Debug.rbtmStart(); System.out.println("---------BEGIN-SENS-CHAIN----------"); System.out.println("Getting sens chain from " + root + " to " + leaf); HashSet results = sensFrontier.getChain(root, leaf); System.out.println("results = " + results); System.out.println("-----------END-SENS-CHAIN----------\n"); Debug.rbtmStop(); return results; } catch(Exception ex) { ex.printStackTrace(); } System.out.println("-----------END-SENS-CHAIN----------\n"); Debug.rbtmStop(); return new HashSet(); } public HashSet getSimpChain(EntityExpression root, EntityExpression leaf) { System.out.println("Getting simp chain from " + root + " to " + leaf); getSimpFrontier(root); Debug.rbtmStart(); HashSet results = simpFrontier.getChain(root, leaf); Debug.rbtmStop(); return results; } public Iterator getCredentialsDefiningRole(RoleName name) { Iterator i; int count = 0; HashSet results = new HashSet(); Debug.rbtmStart(); System.out.println("Finding credential defining the role name: "+name); i = oppoFrontier.findCredentialsDefiningRole(name); while(i.hasNext()) { results.add(i.next()); System.out.println("count = " + ++count); } i = sensFrontier.findCredentialsDefiningRole(name); while(i.hasNext()) { results.add(i.next()); System.out.println("count = " + ++count); } Debug.rbtmStop(); Debug.debug("process", "\nDefining creds = " + results); return results.iterator(); } /** accessor for finding credentials which define a specified role */ public Iterator getCredentialsDefiningRole(Role role) { Iterator i; int count = 0; HashSet results = new HashSet(); Debug.rbtmStart(); System.out.println("Finding credential defining the role: <" + role.getBase() + "." + role.getName() + ">" ); i = oppoFrontier.findCredentialsDefiningRole(role); while(i.hasNext()) { results.add(i.next()); System.out.println("count = " + ++count); } System.out.println("oppoFrontier = " + oppoFrontier); i = sensFrontier.findCredentialsDefiningRole(role); while(i.hasNext()) { results.add(i.next()); System.out.println("count = " + ++count); } Debug.debug("process", "\nDefining creds = " + results); Debug.rbtmStop(); return results.iterator(); } /** Is the specified credential policy traceable? */ public boolean isPolicyTraceable(StaticCredential cred) { return cSuperI.contains(cred); } /** Can the specified credential be traced back to this negotiator? */ public boolean isSelfReachable(StaticCredential cred) { return cSuperS.contains(cred); } public boolean isSubjectTraceable(RoleName role) { return subjectTraces.contains(role); } public boolean isIssuerTracesDef(RoleName name) { return (issuerTracesDef.contains(name)); } public boolean isIssuerTracesAll(RoleName name) { return (issuerTracesAll.contains(name)); } public boolean isIssuerTraceable(RoleName role) { return (issuerTracesAll.contains(role) || issuerTracesDef.contains(role)); } public boolean isSensitive(EntityExpression expr) { return sensFrontier.getPredicate().test(expr); } public boolean subjectTracesAll(RoleName name) { return subjectTraces.contains(name); } public AckPolicy getAckPolicy() { return ackPolicy; } public EntityExpression getAck(EntityExpression expr) { return ackPolicy.requires(expr); } public ACPolicy getACPolicy() { return acPolicy; } public EntityExpression getAC(Credential cred) { if(acPolicy == null)return null; return acPolicy.requires(cred); } protected void addSensitiveRole(Role name) { Sens sens = (Sens)sensFrontier.getPredicate(); sens.addSensCred(name); } public String toString() { StringBuffer buff = new StringBuffer("[FrontierManager self = "); buff.append(self); buff.append("\n sens = ").append(sensFrontier); buff.append("\n\n oppo = ").append(oppoFrontier); buff.append("\n\n simp = ").append(simpFrontier); return buff.append("]").toString(); } }