kaos.core.csi.policy
Class PolicyCheckingImpl

java.lang.Object
  kaos.core.csi.policy.PolicyCheckingImpl

All Implemented Interfaces:

PolicyChecking, AuthorizationPolicyDisclosure, ObligationPolicyDisclosure

public class PolicyCheckingImpl
extends java.lang.Object
implements PolicyChecking

Defines the operations to check permissions, get obligations, analyze policies, etc.

Method Summary

void	checkPermission(java.security.Permission perm, java.lang.Object context) The method check if the given action is permitted according to the current set of policies
void	checkPermission(java.lang.String actorID, java.lang.String attemptedActionName, java.util.HashMap actionProperties) The method check if the given action is permitted according to the current set of policies.
java.util.Vector	getAllowableValuesForActionProperties(ActionInstanceDescription actionDesc) In this case, there are NO properties specified.
java.util.Vector	getAllowableValuesForActionProperties(java.util.Vector propertyNames, ActionInstanceDescription actionDesc, boolean tight) This function is used when the agent/enforcer has only partial information about an action and would like to determine what range of properties can be allowed by the policy set.
java.util.Set	getAllowableValuesForActionProperty(java.lang.String origPropertyName, ActionInstanceDescription origActionDesc, java.util.Set allTargetValues, boolean tight) This function is used when the enforcer has only partial information about an action and needs to determine what range of a property can be allowed by the policy.
static PolicyChecking	getInstance() Retrieve an instance of PolicyChecking.
static PolicyChecking	getInstance(java.lang.String transportName) Retrieve an instance of PolicyChecking.
java.util.Vector	getObligationsForTriggerCondition(ActionInstanceDescription triggerAID) Based on the specified trigger ActionInstanceDescription, select all matching control BasicActionDescriptions, which define the obligations for the trigger.
java.util.List	getPoliciesForActionType(java.lang.String actionType) Get policies for the specified action type.
protected void	logMessage(java.lang.String msg, java.lang.Exception e, int logLevel)
protected void	logMessage(java.lang.String msg, int logLevel)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

getInstance

public static PolicyChecking getInstance(java.lang.String transportName)
                                  throws java.lang.Exception

Retrieve an instance of PolicyChecking. The returned instance has initialized communication with the DS.

Parameters:

transportName - String specifying the name of the transport to use for communication with the KAoS Directory Service.

Returns:

a singleton, PolicyChecking.

Throws:

java.lang.Exception

getInstance

public static PolicyChecking getInstance()
                                  throws java.lang.Exception

Retrieve an instance of PolicyChecking. Thy returned instance may or may not be able to communicate with the Directory Service. If the communication with the Directory Service is not supported, then all requested operations will be invoked only on the local Guard.

Returns:

a singleton, PolicyChecking.

Throws:

java.lang.Exception

checkPermission

public void checkPermission(java.security.Permission perm,
                            java.lang.Object context)
                     throws KAoSSecurityException,
                            java.lang.NullPointerException,
                            ServiceFailure

The method check if the given action is permitted according to the current set of policies

Specified by:

checkPermission in interface AuthorizationPolicyDisclosure

Parameters:

perm - Permission to be checked by the Guard in order to allow/disallow an action.

context - An Object describing the context of the action.

Throws:

KAoSSecurityException - if the action is not allowed.

java.lang.NullPointerException - if the Permission argument is null.

ServiceFailure

checkPermission

public void checkPermission(java.lang.String actorID,
                            java.lang.String attemptedActionName,
                            java.util.HashMap actionProperties)
                     throws KAoSSecurityException,
                            java.lang.NullPointerException,
                            ServiceFailure

The method check if the given action is permitted according to the current set of policies.

Specified by:

checkPermission in interface PolicyChecking

Parameters:

actorID - String containing the id of the policy actor.

attemptedActionName - String containing the ontological name of the attempted action.

actionProperties - HashMap containing the ontological names and their values of properties of the attempted action.

Throws:

KAoSSecurityException - if the action is not allowed.

java.lang.NullPointerException - if the Permission argument is null.

ServiceFailure - if the policy service is not available.

getPoliciesForActionType

public java.util.List getPoliciesForActionType(java.lang.String actionType)
                                        throws ServiceFailure

Get policies for the specified action type.

Specified by:

getPoliciesForActionType in interface AuthorizationPolicyDisclosure

Parameters:

actionType - String specifying the action type for the requested policies.

Returns:

List Contains policies defined for the specified action.

Throws:

ServiceFailure

getAllowableValuesForActionProperties

public java.util.Vector getAllowableValuesForActionProperties(java.util.Vector propertyNames,
                                                              ActionInstanceDescription actionDesc,
                                                              boolean tight)
                                                       throws ServiceFailure

This function is used when the agent/enforcer has only partial information about an action and would like to determine what range of properties can be allowed by the policy set. The agent/enforcer partially fills an ActionInstanceDescription object and sends it to the method, which finds those policies that are applicable to this action and contain the given property. The method will then select only those values for the given properties that will not conflict with higher priority policies containing the given properties.

Specified by:

getAllowableValuesForActionProperties in interface AuthorizationPolicyDisclosure

Parameters:

propertyName - Vector containing the properties for which values are to be found.

actionDesc - ActionInstanceDescription object which will be used to find applicable policies.

tight - boolean, if set to 'true', will result in returning only these values for the missing specified property which would satisfy some policy if used alone.

Returns:

Vector The Vector containing multiple ActionInstanceDescription objects which contain the allowed values for those properties.

Throws:

ServiceFailure

getAllowableValuesForActionProperties

public java.util.Vector getAllowableValuesForActionProperties(ActionInstanceDescription actionDesc)
                                                       throws ServiceFailure

In this case, there are NO properties specified. The function uses the given, partially filled, ActionInstanceDescription object to find those policies that are applicable to this action, and then it selects all the properties from those policies which are not originally contained in the provided ActionInstanceDescription object. It then chooses only those values for the given properties which do not conflict with their higher priority selves, and returns all those properties in the ActionInstanceDescription object.

Specified by:

getAllowableValuesForActionProperties in interface AuthorizationPolicyDisclosure

Parameters:

actionDesc - ActionInstanceDescription object which will be used to find applicable policies.

Returns:

Vector The Vector containing multiple ActionInstanceDescription objects which contain the allowed values for those properties.

Throws:

ServiceFailure

getAllowableValuesForActionProperty

public java.util.Set getAllowableValuesForActionProperty(java.lang.String origPropertyName,
                                                         ActionInstanceDescription origActionDesc,
                                                         java.util.Set allTargetValues,
                                                         boolean tight)
                                                  throws ServiceFailure

This function is used when the enforcer has only partial information about an action and needs to determine what range of a property can be allowed by the policy. The enforcer partially fills an ActionInstanceDescription object and sends it to the PolicyDisclosure object to find those policies that are applicable to this action and contain the given property. PolicyDisclosure will then select only those values for the given property that will not conflict with higher priority policies containing the given property. This is a complex function and needs to be understood in the context of how it is used - this is getting written elsewhere and will be included here at a later time.

Specified by:

getAllowableValuesForActionProperty in interface AuthorizationPolicyDisclosure

Parameters:

propertyName - String specifying the property for which values are to be found.

actionDesc - ActionInstanceDescription object which will be used to find applicable policies.

allTargetValues - Set of possible property values - now it is a fake argument, which should really be calculated by the directory service and passed to the entity disclosing the policy (PolicyDisclosure).

tight - boolean, if set to 'true', will result in returning only these values for the missing specified property which would satisfy some policy if used alone.

Returns:

Set The Set containing allowed values for the given property, or null, if a thread waiting to complete execution of this method has been interrupted. The interrupted status will be propagated.

Throws:

ServiceFailure

getObligationsForTriggerCondition

public java.util.Vector getObligationsForTriggerCondition(ActionInstanceDescription triggerAID)
                                                   throws ObligationViolationException,
                                                          ServiceFailure

Based on the specified trigger ActionInstanceDescription, select all matching control BasicActionDescriptions, which define the obligations for the trigger. For each control BasicActionDescription create an ActionInstanceDescription. Sort the ActionInstanceDescriptions in descending order by the priority of the obligation policy, in which the BasicActionDescription was defined.

Specified by:

getObligationsForTriggerCondition in interface ObligationPolicyDisclosure

Parameters:

triggerACD - ActionInstanceDescription describes an instance of the trigger condition sent by the trigger condition monitor.

Returns:

A Vector of control ActionInstanceDescriptions, whose BasicActionDescriptions are contained in policies matching the parameter triggerAID. The returned control ActionInstanceDescriptions are sorted in descending sequence by their policy priority.

Throws:

ObligationViolationException - when specified obligation constraints in a policy applicable to the given trigger are not satisfied.

ServiceFailure - if the policy service is not available.

logMessage

protected void logMessage(java.lang.String msg,
                          int logLevel)

logMessage

protected void logMessage(java.lang.String msg,
                          java.lang.Exception e,
                          int logLevel)