kaos.policy.guard
Class KAoSGuard

java.lang.Object
  kaos.policy.guard.KAoSGuard

All Implemented Interfaces:

java.io.Serializable, TriggerConditionListener, TriggerConditionListenersRegistry, EnforcerManager, Guard, GuardManager, PolicyDistributor, AuthorizationPolicyDisclosure, ObligationPolicyDisclosure, PolicyDisclosure

Direct Known Subclasses:

KAoSGridGuard

public class KAoSGuard
extends java.lang.Object
implements Guard, GuardManager, java.io.Serializable

Guard for KAoS policies enforcement. This class is still under construction...

Requires:

Modifications:

See Also:

"KAoS Agent Programmer's Guide" $Revision: 1.208 $, Serialized Form

Field Summary

protected java.lang.String	_authModality
protected java.util.HashMap	_enforcersOfType
static int	_FULL_POLICY_MATCH_ _FULL_POLICY_MATCH_ is an integer that indicates that an action instance description fully matches a policy.
protected DefaultKAoSGuardDescription	_guardDescription
protected java.lang.String	_id
protected KAoSAgentDirectoryServiceProxy	_kaosDirectoryService
protected Locator	_locator
protected MessageReceiver	_messageReceiver
protected java.lang.String	_nickName
static int	_NO_POLICY_MATCH_ _NO_POLICY_MATCH_ is an integer that indicates that some property of an action is not consistent with a policy.
static int	_PARTIAL_POLICY_MATCH_ _PARTIAL_POLICY_MATCH_ is an integer that indicates that all the known properties of an action are consistent with the policy.
protected MessageSender	_sender
protected java.util.Hashtable	_superActionsCache
static java.lang.String	CONTAINER_ID_KEY
static java.lang.String	GUARD_NAME_KEY

Constructor Summary

KAoSGuard()
Constructor.

Method Summary

void	addDomain(DomainDescription desc) Add the specified DomainDescription to the collection of domains used to calculate authorization modalities for checking permissions.
protected void	addPolicy(PolicyMsg polMsg) Policy Management Methods
void	addPolicyUpdateListener(PolicyDistributor listener)
void	changeComponentEnabledStatus(java.lang.String repType, java.lang.String associatedOntType, java.lang.Boolean state)
protected void	changePolicy(PolicyMsg policyMsg)
void	checkDeepPermission(java.security.Permission perm, java.lang.Object context) The method checks if the given action is permitted according to the current set of policies.
void	checkPermission(java.security.Permission perm, java.lang.Object context) This method is stil evolving and will change when the KAoSGuard extends from the Java SecurityManager.
static java.util.Hashtable	createPolicyTypeTable(java.util.Collection policies)
void	deleteAllLogs()
void	deleteLogsforActionType(java.lang.String actionType)
void	deleteLogsforActor(java.lang.String actorID)
void	deleteSpecifiedLogs(java.lang.String actionType, java.lang.String actorID, java.lang.String startTime, java.lang.String endTime, java.lang.Boolean latest)
void	deregisterTriggerConditionListener(TriggerConditionListener listenerRef) Deregister the specified TriggerConditionListener from the registry.
boolean	equals(java.lang.Object obj)
java.util.Vector	findPolicyDecision(java.security.Permission perm, java.lang.Object context) The method checks if the given action is permitted according to the current set of policies, or if the given action is a trigger for some obligation policy.
java.util.List	getActionSubclassesOfInterest() This method returns all the subclasses of actions of all policies in this guard, along with the original action class name.
java.util.Vector	getAllKAoSExtensionComponents(java.lang.String repType)
java.util.Vector	getAllLogs()
java.util.Vector	getAllowableValuesForActionProperties(ActionInstanceDescription origActionDesc) In this case, there are NO properties specified.
java.util.Vector	getAllowableValuesForActionProperties(java.util.Vector propertyNames, ActionInstanceDescription actionDesc) Commented out by JLOTT, this function does not work right, because it needs the allTargetValues parameter to properly add values for a positive authorization policy with a complemented property
java.util.Vector	getAllowableValuesForActionProperties(java.util.Vector origPropertyNames, ActionInstanceDescription origActionDesc, boolean tight) This method finds allowable values for multiplt properties, by making use of the method findAllowedValuesRecursively().
java.util.Set	getAllowableValuesForActionProperty(java.lang.String origPropertyName, ActionInstanceDescription origActionDesc, boolean tight) This function finds out all such policies that are applicable to the given AID.
java.util.Set	getAllowableValuesForActionProperty(java.lang.String propertyName, ActionInstanceDescription actionDesc, java.util.Set allTargetValues) This function is used when the enforcer has only partial information about an action and needs to determine what range of a property can be allowed by the policy.
java.util.Set	getAllowableValuesForActionProperty(java.lang.String origPropertyName, ActionInstanceDescription origActionDesc, java.util.Set allTargetValues, boolean tight) This function is used when the enforcer has only partial information about an action and needs to determine what range of a property can be allowed by the policy.
java.util.Vector	getAllowedActions()
java.util.Vector	getAllPolicies() kaos.policy.information.PolicyDBManager interface implementation - begin we have to implement these stubs here because directory service calls these methods on guard by reflection.
java.util.Vector	getAllRepositoryManagers() Get all Repository Manager objects contained in this guard.
protected java.util.List	getBootPolicies(java.lang.String type)
java.util.List	getClassRangesOfInterest() This method returns all the classranges of properties of all policies in this guard.
java.lang.Boolean	getComponentEnabledStatus(java.lang.String repType, java.lang.String associatedOntType)
java.lang.String	getExpandedProperty(java.lang.String key)
java.util.Vector	getForbiddenValuesForActionProperty(java.lang.String origPropertyName, ActionInstanceDescription origActionDesc) At the moment this method would work only for A- policies for 'moveTo' action, and for 'movingTo' property.
HistoryMonitor	getGuardLogManager() Get the manager for the event log contained in the guard.
GuardState	getGuardStateFor() this method returns the state of this guard
java.lang.String	getID() Get guard's GUID.
java.util.Set	getInstancesOf(java.lang.String concept)
java.util.Vector	getKAoSExtensionComponents(java.lang.String repType, java.lang.String associatedOntType) kaos.policy.guard.GuardRepositoryManager interface implementation - begin we have to implement these stubs here because directory service calls these methods on guard by reflection.
java.util.Vector	getLogsforActionType(java.lang.String actionType)
java.util.Vector	getLogsforActor(java.lang.String actorID)
protected java.lang.String	getNickName()
java.util.Vector	getObligationsForTriggerCondition(ActionInstanceDescription origActionDesc) Based on the specified trigger ActionInstanceDescription, select all matching control BasicActionDescriptions, which define the obligations for the trigger.
java.util.Hashtable	getOntologyInstances() This method gets all the ontology instance defined in the directory service, converts them into KAoSInstances, and then creates and returns a Hashtable with instance names as keys and their corresponding KAoSInstance objects as the values.
java.util.List	getPoliciesForActionType(java.lang.String actionType) Get policies for the specified action type.
PolicyDBManager	getPolicyDBManager() Get the manager for the policy database contained in the guard.
protected java.lang.String	getPolicyForbiddingAction(ActionInstanceDescription actionDesc) Find if any existing explicit policy firbides the given action.
PolicyInformation	getPolicyInformation(java.lang.String policyID)
java.lang.Integer	getPolicyUpdateCount() Returns count of the number of times the policy has been updated.
java.lang.String	getProperty(java.lang.String key)
java.lang.String	getProperty(java.lang.String key, java.lang.String defaultValue)
java.util.List	getPropretiesOfInterest() This method returns all the properties and their subproperties of all policies contained in this guard.
GuardRepositoryManager	getRepositoryManager(java.lang.String repType) Guard manager interface implementation begins
java.util.Hashtable	getRepositoryTableInformation(java.lang.String repType)
java.util.Vector	getSpecifiedLogs(java.lang.String actionType, java.lang.String actorID, java.lang.String startTime, java.lang.String endTime, java.lang.Boolean latest)
java.util.Vector	getTriggerConditions(BasicActionDescription triggerAD) Find all trigger conditions that match the specified BasicActionDescription and return them to the caller.
int	hashCode()
protected boolean	initExecEnvironment(java.util.Vector domainNames, KAoSServiceRoot sr, JasBean guardInitInfo, EnforcerFactory enforcerFactory, java.lang.Object infrastructureInfo, InstanceClassifierFactory instClassifierFactory, java.util.List controlledActorClasses, java.util.List controlledActionClasses, PersistenceManager persistMgr)
boolean	initialize(java.util.Vector domainNames, KAoSServiceRoot sr, JasBean guardInitInfo, EnforcerFactory enforcerFactory, java.lang.Object infrastructureInfo, InstanceClassifierFactory instClassifierFactory, java.util.List controlledActorClasses) Setup the basic JAS environment.
boolean	initialize(java.util.Vector domainNames, KAoSServiceRoot sr, JasBean guardInitInfo, EnforcerFactory enforcerFactory, java.lang.Object infrastructureInfo, InstanceClassifierFactory instClassifierFactory, java.util.List controlledActorClasses, java.util.List controlledActionClasses, PersistenceManager persistMgr) Setup the basic JAS environment.
protected boolean	isActionAuthorized(ActionInstanceDescription actionDesc) Check if the specified instance of an action is authorized.
java.lang.Boolean	isGuardLoggingActive(java.lang.Boolean logging)
void	logActionStatus(ActionInstanceDescription status)
void	logEvent(ActionInstanceDescription event)
protected boolean	matchPolicy(ActionInstanceDescription actionDesc, BasicActionDescription ps, java.lang.String mod) This function matches the properties of the given policy information object to those of the action description object.
protected boolean	matchPolicyHistory(PolicyInformation ps) This method checks if the history action in the given policy has the # instances that the policy specifies, in the log of this guard.
protected void	monitorAuthorizationFailure(ActionInstanceDescription origActionDesc) Monitoring and Response Policy Enforcement: Authorization Failure methods - begin
void	newAgent(KAoSAgentDescription agentDescription, java.lang.Object initAgentContext) Retrieve the ontological type of the agent and based on the associated action(s), obtain the appropriate enforcer(s) for the agent.
void	receiveMessage(TransportMessage msg)
void	refreshAllPoliciesComplete()
void	refreshAllPoliciesPartial(java.util.Vector properties)
void	refreshPolicyComplete(java.lang.String policyID)
void	refreshPolicyPartial(java.lang.String policyID, java.util.Vector properties)
void	refreshSpecifiedPoliciesComplete(java.util.Vector policyIDs)
void	refreshSpecifiedPoliciesPartial(java.util.Vector policyIDs, java.util.Vector properties)
protected void	registerAgent(KAoSAgentDescription agentDescription) Sends a message to the Domain Manager to register an agent If the node has not been registered yet, puts the message in a queue.
boolean	registerEnforcer(Enforcer enforcer, java.lang.String actionType, java.util.List subjectIDs) Register Enforcer, which helps to enforce domain policies in this VM.
void	registerTriggerConditionListener(BasicActionDescription triggerAD, TriggerConditionListener listenerRef) Store the received TriggerConditionListener in the registry of listeners.
protected void	rehydratePolicies(java.util.List policies)
void	reinstateObligationPolicy(java.lang.String policyID)
void	removeAgent(KAoSAgentDescription agentDescription) Remove agent from the KAoS Directory Service.
void	removeAllKAoSExtensionComponents(java.lang.String repType)
void	removeAllPolicies() remove all policy objects contained in this database.
void	removeAllRepositoryManagers() Remove all Repository Manager objects contained in this guard.
KAoSExtensionComponent	removeKAoSExtensionComponent(java.lang.String repType, java.lang.String associatedOntType)
protected void	removePolicy(PolicyMsg polMsg)
void	removePolicyUpdateListener(PolicyDistributor listener)
GuardRepositoryManager	removeRepositoryManager(java.lang.String repType) Remove from this guard the repository manager object for the given type of repository
void	resetGuardAppeal()
void	restoreState(GuardPersistenceManager gpm, KAoSServiceRoot sr, JasBean guardInitInfo, boolean connectToDS, boolean connectToTransport)
void	saveState(java.lang.String fileName) this method saves the state of guard in a file.
boolean	setConceptMapping(java.lang.String mappingName, java.lang.String fileNameLoc) Set the mapping of ontology concept.
void	setGuardAppeal(java.util.Vector actions) Authorization Methods
void	setGuardLoggingState(java.lang.Boolean logging) kaos.policy.history.HistoryMonitor interface implementation - begin we have to implement these stubs here because directory service calls these methods on guard by reflection.
void	setKAoSExtensionComponent(java.lang.String repType, java.lang.String associatedOntType, KAoSExtensionComponent extComp)
void	setPolicies(java.util.List policies) Replace the current policy set with the given set
void	setPolicyBootstrapper(PolicyBootstrapper pb) Sets the policy bootstrapper which gives the boot policies and default modality to use before the DirectoryService is contacted This should be called before any enforcers register, and before initialize() is called
void	setPropertyPopulator(java.lang.String mappingName, PropertySpecializedPopulator populator) Set the property populator for the given mapping.
void	setRepositoryManager(java.lang.String repType, GuardRepositoryManager repManager) Set the repository manager object for the given type of repository
void	setUsePolCert(boolean usePolCert)
void	suspendObligationPolicy(java.lang.String policyID)
void	updateActionSubclasses(java.lang.String className, java.util.Collection subclasses) to update the subclasses of an action class.
void	updateInstanceOfClass(java.lang.String className, java.util.Collection instances) update cached instances of the given class in concerned policies.
void	updatePolicies(java.util.List addedPolicies, java.util.List changedPolicies, java.util.List removedPolicies) Add/change/remove policies to/from the PolicyInformationDatabase.
protected void	updatePolicies(java.util.List addedPolicies, java.util.List changedPolicies, java.util.List removedPolicies, boolean setPolicies)
void	updateSubpropertiesOfProperty(java.lang.String propName, java.util.Collection subProps) update cached subproperties of the given property in concerned policies.
void	updateTriggerCondition(BasicActionDescription triggerBasicAD) This method is called by Guard upon receiving an obligation policy containing the specified triggerACD.
protected void	writePolicyUpdate(java.util.List addedPolicies, java.util.List changedPolicies, java.util.List removedPolicies, boolean setPolicies) This function actually updates the current policy set It allows subclasses to override it to provide persistence of policies It expects the write lock to already be aquired

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Field Detail

GUARD_NAME_KEY

public static final java.lang.String GUARD_NAME_KEY

See Also:

Constant Field Values

CONTAINER_ID_KEY

public static final java.lang.String CONTAINER_ID_KEY

See Also:

Constant Field Values

_id

protected java.lang.String _id

_enforcersOfType

protected java.util.HashMap _enforcersOfType

_guardDescription

protected DefaultKAoSGuardDescription _guardDescription

_sender

protected MessageSender _sender

_locator

protected Locator _locator

_nickName

protected java.lang.String _nickName

_authModality

protected java.lang.String _authModality

_messageReceiver

protected MessageReceiver _messageReceiver

_kaosDirectoryService

protected KAoSAgentDirectoryServiceProxy _kaosDirectoryService

_superActionsCache

protected java.util.Hashtable _superActionsCache

_FULL_POLICY_MATCH_

public static final int _FULL_POLICY_MATCH_

_FULL_POLICY_MATCH_ is an integer that indicates that an action instance description fully matches a policy.

See Also:

Constant Field Values

_NO_POLICY_MATCH_

public static final int _NO_POLICY_MATCH_

_NO_POLICY_MATCH_ is an integer that indicates that some property of an action is not consistent with a policy.

See Also:

Constant Field Values

_PARTIAL_POLICY_MATCH_

public static final int _PARTIAL_POLICY_MATCH_

_PARTIAL_POLICY_MATCH_ is an integer that indicates that all the known properties of an action are consistent with the policy. However, in this case there are some other properties that are constrained by the policy that are not specified in the action description.

See Also:

Constant Field Values

Constructor Detail

KAoSGuard

public KAoSGuard()

Constructor.

Method Detail

receiveMessage

public void receiveMessage(TransportMessage msg)

equals

public boolean equals(java.lang.Object obj)

Overrides:

equals in class java.lang.Object

hashCode

public int hashCode()

Overrides:

hashCode in class java.lang.Object

addDomain

public void addDomain(DomainDescription desc)

Description copied from interface: Guard

Add the specified DomainDescription to the collection of domains used to calculate authorization modalities for checking permissions.

Specified by:

addDomain in interface Guard

getID

public java.lang.String getID()

Get guard's GUID.

Specified by:

getID in interface Guard

Returns:

String uniquely identifying the guard.

getPoliciesForActionType

public java.util.List getPoliciesForActionType(java.lang.String actionType)

Get policies for the specified action type.

Specified by:

getPoliciesForActionType in interface AuthorizationPolicyDisclosure

Parameters:

actionType - String specifying the action type for the requested policies.

Returns:

List of policies defined for the specified action.

getAllowableValuesForActionProperty

public java.util.Set getAllowableValuesForActionProperty(java.lang.String propertyName,
                                                         ActionInstanceDescription actionDesc,
                                                         java.util.Set allTargetValues)

This function is used when the enforcer has only partial information about an action and needs to determine what range of a property can be allowed by the policy. The enforcer partially fills an ActionInstanceDescription object and sends it to the PolicyDisclosure object to find those policies that are applicable to this action and contain the given property. PolicyDisclosure will then select only those values for the given property that will not conflict with higher priority policies containing the given property. This is a complex function and needs to be understood in the context of how it is used - this is getting written elsewhere and will be included here at a later time.

Parameters:

propertyName - String specifying the property for which values are to be found.

actionDesc - ActionInstanceDescription object which will be used to find applicable policies.

allTargetValues - Set of possible property values - now it is a fake argument, which should really be calculated by the directory service and passed to the entity disclosing the policy (PolicyDisclosure).

Returns:

Set The Set containing allowed values for the given property, or null, if a thread waiting to complete execution of this method has been interrupted. The interrupted status will be propagated.

getAllowableValuesForActionProperty

public java.util.Set getAllowableValuesForActionProperty(java.lang.String origPropertyName,
                                                         ActionInstanceDescription origActionDesc,
                                                         java.util.Set allTargetValues,
                                                         boolean tight)

This function is used when the enforcer has only partial information about an action and needs to determine what range of a property can be allowed by the policy. The enforcer partially fills an ActionInstanceDescription object and sends it to the PolicyDisclosure object to find those policies that are applicable to this action and contain the given property. PolicyDisclosure will then select only those values for the given property that will not conflict with higher priority policies containing the given property. This is a complex function and needs to be understood in the context of how it is used - this is getting written elsewhere and will be included here at a later time.

Specified by:

getAllowableValuesForActionProperty in interface AuthorizationPolicyDisclosure

Parameters:

propertyName - String specifying the property for which values are to be found.

actionDesc - ActionInstanceDescription object which will be used to find applicable policies.

allTargetValues - Set of possible property values - now it is a fake argument, which should really be calculated by the directory service and passed to the entity disclosing the policy (PolicyDisclosure).

tight - boolean, if set to 'true', will result in returning only these values for the missing specified property which would satisfy some policy if used alone.

Returns:

Set The Set containing allowed values for the given property, or null, if a thread waiting to complete execution of this method has been interrupted. The interrupted status will be propagated.

getAllowableValuesForActionProperty

public java.util.Set getAllowableValuesForActionProperty(java.lang.String origPropertyName,
                                                         ActionInstanceDescription origActionDesc,
                                                         boolean tight)
                                                  throws java.lang.IllegalArgumentException

This function finds out all such policies that are applicable to the given AID. It then gathers the requested property from each of those applicable policies into a vector; it also gathers the modalities of those policies into another vector such that a property and its policy modality from the vectors correspond to each other, and then it passes them to another function which processes them and returns the final result.

Throws:

java.lang.IllegalArgumentException

getAllowableValuesForActionProperties

public java.util.Vector getAllowableValuesForActionProperties(java.util.Vector propertyNames,
                                                              ActionInstanceDescription actionDesc)

Commented out by JLOTT, this function does not work right, because it needs the allTargetValues parameter to properly add values for a positive authorization policy with a complemented property

getAllowableValuesForActionProperties

public java.util.Vector getAllowableValuesForActionProperties(java.util.Vector origPropertyNames,
                                                              ActionInstanceDescription origActionDesc,
                                                              boolean tight)

This method finds allowable values for multiplt properties, by making use of the method findAllowedValuesRecursively(). Pl. see the header of that method for details.

Specified by:

getAllowableValuesForActionProperties in interface AuthorizationPolicyDisclosure

origActionDesc - ActionInstanceDescription object which will be used to find applicable policies.

tight - boolean, if set to 'true', will result in returning only these values for the missing specified property which would satisfy some policy if used alone.

Returns:

Vector The Vector containing multiple ActionInstanceDescription objects which contain the allowed values for those properties.

getAllowableValuesForActionProperties

public java.util.Vector getAllowableValuesForActionProperties(ActionInstanceDescription origActionDesc)

Description copied from interface: AuthorizationPolicyDisclosure

In this case, there are NO properties specified. The function uses the given, partially filled, ActionInstanceDescription object to find those policies that are applicable to this action, and then it selects all the properties from those policies which are not originally contained in the provided ActionInstanceDescription object. It then chooses only those values for the given properties which do not conflict with their higher priority selves, and returns all those properties in the ActionInstanceDescription object.

Specified by:

getAllowableValuesForActionProperties in interface AuthorizationPolicyDisclosure

Parameters:

origActionDesc - ActionInstanceDescription object which will be used to find applicable policies.

Returns:

Vector The Vector containing multiple ActionInstanceDescription objects which contain the allowed values for those properties.

getForbiddenValuesForActionProperty

public java.util.Vector getForbiddenValuesForActionProperty(java.lang.String origPropertyName,
                                                            ActionInstanceDescription origActionDesc)

At the moment this method would work only for A- policies for 'moveTo' action, and for 'movingTo' property. For other policies, the behaviour of this method is undefined. This method would be made more generic in future, for handling nested property values.

Parameters:

origPropertyName - the property for which to find those values.

origActionDesc - the AID for which to find the values.

Returns:

Vector a Vector of KAoSInstance objects, which are the forbidden values.

getOntologyInstances

public java.util.Hashtable getOntologyInstances()

This method gets all the ontology instance defined in the directory service, converts them into KAoSInstances, and then creates and returns a Hashtable with instance names as keys and their corresponding KAoSInstance objects as the values.

removeAgent

public void removeAgent(KAoSAgentDescription agentDescription)
                 throws NotRegisteredException,
                        DirectoryFailure

Remove agent from the KAoS Directory Service.

Specified by:

removeAgent in interface Guard

Parameters:

agentDescription - KAoSAgentDescription to be used by the Guard to deregister the agent from the KAoS Directory Service.

Throws:

NotRegisteredException - if the agent is not registered in the KAoS Directory Service.

DirectoryFailure - if the KAoS Directory Service is not available.

initialize

public boolean initialize(java.util.Vector domainNames,
                          KAoSServiceRoot sr,
                          JasBean guardInitInfo,
                          EnforcerFactory enforcerFactory,
                          java.lang.Object infrastructureInfo,
                          InstanceClassifierFactory instClassifierFactory,
                          java.util.List controlledActorClasses)

Setup the basic JAS environment. Register Guard with the KAoS Agent DirectoryService. Establish connection to the KAoS Policy Directory.

1. Get the Agent Naming Service.
2. Use the Agent Naming Service to get a unique name for the Guard.
3. Get a reference to the Message Transport Service.
4. Bind to the Message Transport Service and obtain the Guard's locator.
5. Get the KAoS Agent Directory Service.
6. Create an Agent Description for the Guard.
7. Register the Guard with the KAoS Directory Service.
8. Initialize Guard's default authorization modality.

As the individual initialization steps are executed, the instance variables are set to match the services that are being initialized. Those services are used throughout the Guard. If, in the process of initialization a step fails, return false.

Specified by:

initialize in interface Guard

Parameters:

domainNames - The Vector of names of domains the Guard will become a member of.

serviceRoot - The JAS ServiceRoot to establish connections to the JAS services: Naming, Agent Directory and Transport.

guardInitInfo - The JasBean that encapsulates Guard's nickname and other transport parameters, if needed by the MessageTransportService. to satisfy Guard's requests for policy information.

enforcerFactory - The EnforcerFactory the Guard will use to obtain enforcers from.

infrastructureInfo - The Object that contains the agent's infrastructure information to pass on to enforcers.

instClassifierFactory - The InstanceClassifierFactory to instantiate InstanceClassifiers for given property names.

controlledActorClasses - The List that contains the names of actor classes the Guard may receive policies for. to enforcers.

Returns:

boolean Indicates initialization success/failure.

initialize

public boolean initialize(java.util.Vector domainNames,
                          KAoSServiceRoot sr,
                          JasBean guardInitInfo,
                          EnforcerFactory enforcerFactory,
                          java.lang.Object infrastructureInfo,
                          InstanceClassifierFactory instClassifierFactory,
                          java.util.List controlledActorClasses,
                          java.util.List controlledActionClasses,
                          PersistenceManager persistMgr)

Setup the basic JAS environment. Register Guard with the KAoS Agent DirectoryService. Establish connection to the KAoS Policy Directory.

1. Get the Agent Naming Service.
2. Use the Agent Naming Service to get a unique name for the Guard.
3. Get a reference to the Message Transport Service.
4. Bind to the Message Transport Service and obtain the Guard's locator.
5. Get the KAoS Agent Directory Service.
6. Create an Agent Description for the Guard.
7. Register the Guard with the KAoS Directory Service.
8. Initialize Guard's default authorization modality.

As the individual initialization steps are executed, the instance variables are set to match the services that are being initialized. Those services are used throughout the Guard. If, in the process of initialization a step fails, return false.

Parameters:

domainNames - The Vector of names of domains the Guard will become a member of.

serviceRoot - The JAS ServiceRoot to establish connections to the JAS services: Naming, Agent Directory and Transport.

guardInitInfo - The JasBean that encapsulates Guard's nickname and other transport parameters, if needed by the MessageTransportService. to satisfy Guard's requests for policy information.

enforcerFactory - The EnforcerFactory the Guard will use to obtain enforcers from.

infrastructureInfo - The Object that contains the agent's infrastructure information to pass on to enforcers.

instClassifierFactory - The InstanceClassifierFactory to instantiate InstanceClassifiers for given property names.

controlledActorClasses - The List that contains the names of actor classes the Guard may receive policies for.

controlledActionClasses - The List that contains the names of action classes the Guard may receive policies for.

Returns:

boolean Indicates initialization success/failure.

newAgent

public void newAgent(KAoSAgentDescription agentDescription,
                     java.lang.Object initAgentContext)
              throws AlreadyRegisteredException,
                     DirectoryFailure,
                     EnforcerInstantiationException,
                     UnknownConceptException

Retrieve the ontological type of the agent and based on the associated action(s), obtain the appropriate enforcer(s) for the agent. Register the agent in the KAoSDirectoryService.

Specified by:

newAgent in interface Guard

Parameters:

agentDescription - KAoSAgentDescription to be used by the Guard to obtain the appropriate enforcer(s) for the guarded agent and to register the agent with the KAoSDirectoryService.

initAgentContext - An Object describing the context of the new guarded agent.

Throws:

AlreadyRegisteredException - if the new agent is already registered in the KAoSDirectoryService.

DirectoryFailure - if the KAoSDirectoryService is not available.

EnforcerInstantiationException - the process of instantiating an enforcer fails.

UnknownConceptException - if any of used names is unknow for the ontology repository, details will be provided in the return string

registerAgent

protected void registerAgent(KAoSAgentDescription agentDescription)

Sends a message to the Domain Manager to register an agent If the node has not been registered yet, puts the message in a queue.

Parameters:

agentDescription - description of the agent (null to only flush the buffer)

setConceptMapping

public boolean setConceptMapping(java.lang.String mappingName,
                                 java.lang.String fileNameLoc)

Set the mapping of ontology concept.

Specified by:

setConceptMapping in interface Guard

Parameters:

mappingName - The String specifying the name of the mapping.

fileNameLoc - The String specifying the name and path of the file containing the mapping.

Returns:

boolean indicating success(true)/failure(false) of the operation.

setPropertyPopulator

public void setPropertyPopulator(java.lang.String mappingName,
                                 PropertySpecializedPopulator populator)

Set the property populator for the given mapping.

Specified by:

setPropertyPopulator in interface Guard

Parameters:

mappingName - The String specifying the name of the mapping.

PropertySpecializedPopulator - The property populator for the given mapping.

getObligationsForTriggerCondition

public java.util.Vector getObligationsForTriggerCondition(ActionInstanceDescription origActionDesc)
                                                   throws ObligationViolationException

Based on the specified trigger ActionInstanceDescription, select all matching control BasicActionDescriptions, which define the obligations for the trigger. For each control BasicActionDescription create an ActionInstanceDescription. Sort the ActionInstanceDescriptions in descending order by the priority of the obligation policy, in which the BasicActionDescription was defined.

Specified by:

getObligationsForTriggerCondition in interface ObligationPolicyDisclosure

Parameters:

origActionDesc - ActionInstanceDescription describes an instance of the trigger condition sent by the trigger condition monitor.

Returns:

A Vector of control ActionInstanceDescriptions, whose BasicActionDescriptions are contained in policies matching the parameter triggerAID. The returned control ActionInstanceDescriptions are sorted in descending sequence by their policy priority. Or, the method returns null, if a Thread waiting to complete execution of this method has been interrupted. The Thread's interrupted status will be re-established.

Throws:

ObligationViolationException

updatePolicies

public void updatePolicies(java.util.List addedPolicies,
                           java.util.List changedPolicies,
                           java.util.List removedPolicies)

Add/change/remove policies to/from the PolicyInformationDatabase.

Specified by:

updatePolicies in interface PolicyDistributor

Parameters:

addedPolicies - The List of policies to be added to the PolicyInformationDatabase.

changedPolicies - The List of policies to be changed in the PolicyInformationDatabase.

removedPolicies - The List of policies to be removed from the PolicyInformationDatabase.

updatePolicies

protected void updatePolicies(java.util.List addedPolicies,
                              java.util.List changedPolicies,
                              java.util.List removedPolicies,
                              boolean setPolicies)

writePolicyUpdate

protected void writePolicyUpdate(java.util.List addedPolicies,
                                 java.util.List changedPolicies,
                                 java.util.List removedPolicies,
                                 boolean setPolicies)

This function actually updates the current policy set It allows subclasses to override it to provide persistence of policies It expects the write lock to already be aquired

addPolicyUpdateListener

public void addPolicyUpdateListener(PolicyDistributor listener)

Specified by:

addPolicyUpdateListener in interface Guard

removePolicyUpdateListener

public void removePolicyUpdateListener(PolicyDistributor listener)

Specified by:

removePolicyUpdateListener in interface Guard

getPolicyUpdateCount

public java.lang.Integer getPolicyUpdateCount()

Returns count of the number of times the policy has been updated. This function is important when a policy disclosure client needs to cache results for performance reasons. The traditional case occurs when the caller is asking permission for access and will cache the result if the mediation succeeds. The logic would look something like this - getPolicyUpdateCount - check if permission is permitted based on the cache using the policy update count - if the permission is cached return success - otherwise call checkPermission - if checkPermission succeeeds - get PolicyUpdateCount - if the policy update count before the call is the same as it is after the call, cache the fact that access is allowed. - return success - otherwise return exception

Specified by:

getPolicyUpdateCount in interface PolicyDisclosure

getBootPolicies

protected java.util.List getBootPolicies(java.lang.String type)

rehydratePolicies

protected void rehydratePolicies(java.util.List policies)

createPolicyTypeTable

public static java.util.Hashtable createPolicyTypeTable(java.util.Collection policies)

updateTriggerCondition

public void updateTriggerCondition(BasicActionDescription triggerBasicAD)

This method is called by Guard upon receiving an obligation policy containing the specified triggerACD. The listener will now start monitoring agent actions in order to detect the occurrence of the trigger condition.

Specified by:

updateTriggerCondition in interface TriggerConditionListener

Parameters:

triggerBasicAD - BasicActionDescription describes the trigger condition the listener has registered for.

deregisterTriggerConditionListener

public void deregisterTriggerConditionListener(TriggerConditionListener listenerRef)
                                        throws TriggerConditionListenerDeregistrationException

Deregister the specified TriggerConditionListener from the registry.

Specified by:

deregisterTriggerConditionListener in interface TriggerConditionListenersRegistry

Parameters:

listenerRef - TriggerConditionListener, an instance of a listener to be deregistered from the listeners registry.

Throws:

TriggerConditionListenerDeregistrationException - if the listener deregistration fails.

registerTriggerConditionListener

public void registerTriggerConditionListener(BasicActionDescription triggerAD,
                                             TriggerConditionListener listenerRef)
                                      throws TriggerConditionListenerRegistrationException

Store the received TriggerConditionListener in the registry of listeners. Associate the listener with the specified BasicActionDescription of the trigger condition.

Specified by:

registerTriggerConditionListener in interface TriggerConditionListenersRegistry

Parameters:

triggerAD - BasicActionDescription describes the trigger condition the listener is going to monitor.

listenerRef - TriggerConditionListener, an instance of a listener, which will be monitoring the described trigger condition when an obligation policy, which contains the trigger BasicActionDescription, is received by the Guard and passed to the listener.

Throws:

TriggerConditionListenerRegistrationException - if the listener registration fails.

getTriggerConditions

public java.util.Vector getTriggerConditions(BasicActionDescription triggerAD)

Find all trigger conditions that match the specified BasicActionDescription and return them to the caller.

Specified by:

getTriggerConditions in interface TriggerConditionListenersRegistry

Parameters:

triggerAD - BasicActionDescription - describes the action to be used in matching against all BasicActionDescriptions of trigger conditions stored in obligation policies.

Returns:

Vector of matching BasicActionDescriptions for trigger conditions in stored obligation policies.

registerEnforcer

public boolean registerEnforcer(Enforcer enforcer,
                                java.lang.String actionType,
                                java.util.List subjectIDs)

Register Enforcer, which helps to enforce domain policies in this VM.

Specified by:

registerEnforcer in interface EnforcerManager

Parameters:

enforcer - the Enforcer that is being registered.

actionType - the type of action the registering enforcer will enforce.

subjectIDs - the List of subject IDs of agents associated with the enforced action.

Returns:

boolean indicating whether the enforcer was successfully registered

getAllPolicies

public java.util.Vector getAllPolicies()

kaos.policy.information.PolicyDBManager interface implementation - begin we have to implement these stubs here because directory service calls these methods on guard by reflection. So if the methods don't exist as members of guard, they can not be called... these stubs then delegate the methods to actual manager object.

removeAllPolicies

public void removeAllPolicies()

remove all policy objects contained in this database.

getPolicyInformation

public PolicyInformation getPolicyInformation(java.lang.String policyID)

refreshPolicyComplete

public void refreshPolicyComplete(java.lang.String policyID)

refreshPolicyPartial

public void refreshPolicyPartial(java.lang.String policyID,
                                 java.util.Vector properties)

refreshAllPoliciesComplete

public void refreshAllPoliciesComplete()

refreshAllPoliciesPartial

public void refreshAllPoliciesPartial(java.util.Vector properties)

refreshSpecifiedPoliciesComplete

public void refreshSpecifiedPoliciesComplete(java.util.Vector policyIDs)

refreshSpecifiedPoliciesPartial

public void refreshSpecifiedPoliciesPartial(java.util.Vector policyIDs,
                                            java.util.Vector properties)

getPropretiesOfInterest

public java.util.List getPropretiesOfInterest()

This method returns all the properties and their subproperties of all policies contained in this guard. This excludes _actor and _action properties because they don't have subproperties, only subclasses.

getClassRangesOfInterest

public java.util.List getClassRangesOfInterest()

This method returns all the classranges of properties of all policies in this guard. This excludes _action property because it doesn't have a class range.

getActionSubclassesOfInterest

public java.util.List getActionSubclassesOfInterest()

This method returns all the subclasses of actions of all policies in this guard, along with the original action class name.

updateSubpropertiesOfProperty

public void updateSubpropertiesOfProperty(java.lang.String propName,
                                          java.util.Collection subProps)

update cached subproperties of the given property in concerned policies.

Parameters:

propertyName - the property whose subproperties are to be updated.

subProps - the new subproperties.

updateInstanceOfClass

public void updateInstanceOfClass(java.lang.String className,
                                  java.util.Collection instances)

update cached instances of the given class in concerned policies.

Parameters:

className - the class whose instances are to be updated.

instances - the new instances.

updateActionSubclasses

public void updateActionSubclasses(java.lang.String className,
                                   java.util.Collection subclasses)

to update the subclasses of an action class.

Parameters:

className - the action class whose subclasses are updated

subclasses - the collection of updated subclasses

suspendObligationPolicy

public void suspendObligationPolicy(java.lang.String policyID)

reinstateObligationPolicy

public void reinstateObligationPolicy(java.lang.String policyID)

setGuardLoggingState

public void setGuardLoggingState(java.lang.Boolean logging)

kaos.policy.history.HistoryMonitor interface implementation - begin we have to implement these stubs here because directory service calls these methods on guard by reflection. So if the methods don't exist as members of guard, they can not be called... these stubs then delegate the methods to actual manager objects.

isGuardLoggingActive

public java.lang.Boolean isGuardLoggingActive(java.lang.Boolean logging)

logEvent

public void logEvent(ActionInstanceDescription event)

getAllLogs

public java.util.Vector getAllLogs()

deleteAllLogs

public void deleteAllLogs()

getLogsforActionType

public java.util.Vector getLogsforActionType(java.lang.String actionType)

deleteLogsforActionType

public void deleteLogsforActionType(java.lang.String actionType)

getLogsforActor

public java.util.Vector getLogsforActor(java.lang.String actorID)

deleteLogsforActor

public void deleteLogsforActor(java.lang.String actorID)

getSpecifiedLogs

public java.util.Vector getSpecifiedLogs(java.lang.String actionType,
                                         java.lang.String actorID,
                                         java.lang.String startTime,
                                         java.lang.String endTime,
                                         java.lang.Boolean latest)

deleteSpecifiedLogs

public void deleteSpecifiedLogs(java.lang.String actionType,
                                java.lang.String actorID,
                                java.lang.String startTime,
                                java.lang.String endTime,
                                java.lang.Boolean latest)

getKAoSExtensionComponents

public java.util.Vector getKAoSExtensionComponents(java.lang.String repType,
                                                   java.lang.String associatedOntType)

kaos.policy.guard.GuardRepositoryManager interface implementation - begin we have to implement these stubs here because directory service calls these methods on guard by reflection. So if the methods don't exist as members of guard, they can not be called... these stubs then delegate the methods to actual manager objects. pl. note that these methods have an extra parameter, 'repType' to indicate which rep. manager to call the method on. We find the appropriate object from the hashtable based on this parameter, and then call that object's corresponding method.

removeKAoSExtensionComponent

public KAoSExtensionComponent removeKAoSExtensionComponent(java.lang.String repType,
                                                           java.lang.String associatedOntType)

setKAoSExtensionComponent

public void setKAoSExtensionComponent(java.lang.String repType,
                                      java.lang.String associatedOntType,
                                      KAoSExtensionComponent extComp)
                               throws ComponentAlreadyPresentException

Throws:

ComponentAlreadyPresentException

changeComponentEnabledStatus

public void changeComponentEnabledStatus(java.lang.String repType,
                                         java.lang.String associatedOntType,
                                         java.lang.Boolean state)

getComponentEnabledStatus

public java.lang.Boolean getComponentEnabledStatus(java.lang.String repType,
                                                   java.lang.String associatedOntType)

getAllKAoSExtensionComponents

public java.util.Vector getAllKAoSExtensionComponents(java.lang.String repType)

removeAllKAoSExtensionComponents

public void removeAllKAoSExtensionComponents(java.lang.String repType)

getRepositoryTableInformation

public java.util.Hashtable getRepositoryTableInformation(java.lang.String repType)

setGuardAppeal

public void setGuardAppeal(java.util.Vector actions)

Authorization Methods

resetGuardAppeal

public void resetGuardAppeal()

checkPermission

public void checkPermission(java.security.Permission perm,
                            java.lang.Object context)
                     throws KAoSSecurityException,
                            java.lang.NullPointerException

This method is stil evolving and will change when the KAoSGuard extends from the Java SecurityManager.

Specified by:

checkPermission in interface AuthorizationPolicyDisclosure

Parameters:

perm - Permission to be checked by the Guard in order to allow/disallow an action.

context - An Object describing the context of the action.

Throws:

KAoSSecurityException - if the action is not allowed.

java.lang.NullPointerException - if the Permission argument is null.

checkDeepPermission

public void checkDeepPermission(java.security.Permission perm,
                                java.lang.Object context)
                         throws java.lang.NullPointerException,
                                ServiceFailure,
                                KAoSSecurityException

The method checks if the given action is permitted according to the current set of policies. However, if the given action is not permitted by a policy, instead of stopping there, it goes on to find all those policies that forbid the given action, and then returns a vector that contains their ids.

Specified by:

checkDeepPermission in interface PolicyDisclosure

Parameters:

perm - Permission to be checked by the Guard in order to allow/disallow an action.

context - An Object describing the context of the action.

Throws:

java.lang.NullPointerException - if the Permission argument is null.

KAoSSecurityException - containing the ids of forbidding policies, if any.

ServiceFailure

findPolicyDecision

public java.util.Vector findPolicyDecision(java.security.Permission perm,
                                           java.lang.Object context)
                                    throws ObligationViolationException,
                                           KAoSSecurityException,
                                           java.lang.NullPointerException,
                                           ServiceFailure

The method checks if the given action is permitted according to the current set of policies, or if the given action is a trigger for some obligation policy. If the action is not permitted, the method throws an exception, but if the action is a trigger, the method returns a vector containing all those obligation policies for whom the action is a trigger.

Specified by:

findPolicyDecision in interface PolicyDisclosure

Parameters:

perm - Permission to be checked by the Guard in order to allow/disallow an action; or the trigger to be checked for obligation policies.

context - An Object describing the context of the action.

Throws:

KAoSSecurityException - if the action is not allowed.

java.lang.NullPointerException - if the Permission argument is null.

ObligationViolationException

ServiceFailure

isActionAuthorized

protected boolean isActionAuthorized(ActionInstanceDescription actionDesc)
                              throws UnknownConceptException,
                                     java.lang.InterruptedException

Check if the specified instance of an action is authorized.

Parameters:

actionDesc - ActionInstanceDescription providing detail description of the action

Returns:

true if the action can be perfome and false if not

Throws:

UnknownConceptException - if any of used names is unknow for the ontology repository, details will be provided in the return string.

java.lang.InterruptedException - if the calling Thread is interrupted whiled waiting to complete the execution of this method.

matchPolicyHistory

protected boolean matchPolicyHistory(PolicyInformation ps)

This method checks if the history action in the given policy has the # instances that the policy specifies, in the log of this guard. If yes, it returns true otherwise false.

getPolicyForbiddingAction

protected java.lang.String getPolicyForbiddingAction(ActionInstanceDescription actionDesc)
                                              throws UnknownConceptException,
                                                     java.lang.InterruptedException

Find if any existing explicit policy firbides the given action. the boolean variable '_deepCheck' which is checked in this method is set when a user calls the method 'checkDeepPermission'. Briefly, this method, instead of returning when the first matched policy is found, directs us to go on and list all such policies (if any) that prohibit this action. Hence, if that variable is set, this method collects such policy ids in a private vector, so 'checkDeepPermission' can return that result later on. Note that this check stops when it hits the firts A+ applicable policy, or in the absence of it, when the entire list is traversed.

Parameters:

actionDesc - ActionInstanceDescription providing detail description of the action

Returns:

id of the policy forbiding the action or null if there is no such policy

Throws:

UnknownConceptException - if any of used names is unknow for the ontology repository, details will be provided in the return string.

java.lang.InterruptedException - if the calling Thread is interrupted whiled waiting to complete the execution of this method.

matchPolicy

protected boolean matchPolicy(ActionInstanceDescription actionDesc,
                              BasicActionDescription ps,
                              java.lang.String mod)

This function matches the properties of the given policy information object to those of the action description object. If all properties match, it returns _FULL_POLICY_MATCH_. If at least one property doesn't match at all, it returns _NO_POLICY_MATCH_. If a. at least one property matches partially, or b. at least one property from policy info is absent in the action description, or c. both, a. and b. it returns _PARTIAL_POLICY_MATCH_.

getAllowedActions

public java.util.Vector getAllowedActions()

getNickName

protected java.lang.String getNickName()

addPolicy

protected void addPolicy(PolicyMsg polMsg)

Policy Management Methods

removePolicy

protected void removePolicy(PolicyMsg polMsg)

changePolicy

protected void changePolicy(PolicyMsg policyMsg)

setPolicyBootstrapper

public void setPolicyBootstrapper(PolicyBootstrapper pb)

Sets the policy bootstrapper which gives the boot policies and default modality to use before the DirectoryService is contacted This should be called before any enforcers register, and before initialize() is called

initExecEnvironment

protected boolean initExecEnvironment(java.util.Vector domainNames,
                                      KAoSServiceRoot sr,
                                      JasBean guardInitInfo,
                                      EnforcerFactory enforcerFactory,
                                      java.lang.Object infrastructureInfo,
                                      InstanceClassifierFactory instClassifierFactory,
                                      java.util.List controlledActorClasses,
                                      java.util.List controlledActionClasses,
                                      PersistenceManager persistMgr)

restoreState

public void restoreState(GuardPersistenceManager gpm,
                         KAoSServiceRoot sr,
                         JasBean guardInitInfo,
                         boolean connectToDS,
                         boolean connectToTransport)
                  throws GuardInstantiationException

Throws:

GuardInstantiationException

getExpandedProperty

public java.lang.String getExpandedProperty(java.lang.String key)
                                     throws java.lang.Exception

Throws:

java.lang.Exception

getProperty

public java.lang.String getProperty(java.lang.String key,
                                    java.lang.String defaultValue)

getProperty

public java.lang.String getProperty(java.lang.String key)

setUsePolCert

public void setUsePolCert(boolean usePolCert)

monitorAuthorizationFailure

protected void monitorAuthorizationFailure(ActionInstanceDescription origActionDesc)

Monitoring and Response Policy Enforcement: Authorization Failure methods - begin

getRepositoryManager

public GuardRepositoryManager getRepositoryManager(java.lang.String repType)

Guard manager interface implementation begins

Specified by:

getRepositoryManager in interface GuardManager

Parameters:

repType - A String indicating the type of repository.

Returns:

The repository manager object for the given type of repository

removeRepositoryManager

public GuardRepositoryManager removeRepositoryManager(java.lang.String repType)

Description copied from interface: GuardManager

Remove from this guard the repository manager object for the given type of repository

Specified by:

removeRepositoryManager in interface GuardManager

Parameters:

repType - A String indicating the type of repository.

Returns:

The removed repository manager object for the given type of repository

setRepositoryManager

public void setRepositoryManager(java.lang.String repType,
                                 GuardRepositoryManager repManager)

Description copied from interface: GuardManager

Set the repository manager object for the given type of repository

Specified by:

setRepositoryManager in interface GuardManager

Parameters:

repType - A String indicating the type of repository.

repManager - The RepositoryManager object to be set for the given type.

getAllRepositoryManagers

public java.util.Vector getAllRepositoryManagers()

Description copied from interface: GuardManager

Get all Repository Manager objects contained in this guard.

Specified by:

getAllRepositoryManagers in interface GuardManager

Returns:

A Vector containing all Repository Manager objects.

removeAllRepositoryManagers

public void removeAllRepositoryManagers()

Description copied from interface: GuardManager

Remove all Repository Manager objects contained in this guard.

Specified by:

removeAllRepositoryManagers in interface GuardManager

getPolicyDBManager

public PolicyDBManager getPolicyDBManager()

Description copied from interface: GuardManager

Get the manager for the policy database contained in the guard.

Specified by:

getPolicyDBManager in interface GuardManager

Returns:

A manager obejct for the policy database.

getGuardLogManager

public HistoryMonitor getGuardLogManager()

Description copied from interface: GuardManager

Get the manager for the event log contained in the guard.

Specified by:

getGuardLogManager in interface GuardManager

Returns:

A manager obejct for the event log.

setPolicies

public void setPolicies(java.util.List policies)

Description copied from interface: PolicyDistributor

Replace the current policy set with the given set

Specified by:

setPolicies in interface PolicyDistributor

getGuardStateFor

public GuardState getGuardStateFor()

this method returns the state of this guard

saveState

public void saveState(java.lang.String fileName)

this method saves the state of guard in a file.

Parameters:

fileName - the name of file into which to save state.

logActionStatus

public void logActionStatus(ActionInstanceDescription status)

getInstancesOf

public java.util.Set getInstancesOf(java.lang.String concept)
                             throws UnknownConceptException,
                                    DirectoryFailure

Throws:

UnknownConceptException

DirectoryFailure