public class SigningPolicyParser
extends java.lang.Object
eacl ::= {eacl_entry}
eacl_entry ::= {access_identity} pos_rights {restriction}
{pos_rights {restriction}} | {access_identity} neg_rights
access_identity ::= access_identity_type def_authority value
access_identity_type ::= "access_id_HOST" | "access_id_USER" |
"access_id_GROUP" | "access_id_CA" | "access_id_APPLICATION" |
"access_id_ANYBODY"
pos_rights ::= "pos_rights" def_authority value
{"pos_rights" def_authority value}
neg_rights ::= "neg_rights" def_authority value
{"neg_rights" def_authority value}
restriction ::= condition_type def_authority value
condition_type ::= alphanumeric_string
def_authority ::= alphanumeric_string
value ::= alphanumeric_string
This class take a signing policy file as input and parses it to extract the policy that is enforced. Only the following policy is enforced: access_id_CA with defining authority as X509 with CA DN as value. Any positive rights following it with globus as defining authority and value CA:sign. Lastly, restriction "cond_subjects" with globus as defining authority and the DNs the CA is authorized to sign. restrictions are assumed to start with cond_. Order of rights matter, so the first occurance of CA:Sign with allowedDNs is used and rest of the policy is ignored.
For a given signing policy file, only policy with the particular CA's DN is parsed.
subject names may include the following wildcard characters: * Matches zero or any number of characters. ? Matches any single character.
All subject names should be in Globus format, with slashes and should NOT be revered.
The allowed DN patterns are returned as a vector of java.util.regexp.Pattern. The BCNF grammar that uses wildcard (*) and single character (?) are replaced with the regexp grammar needed by the Pattern class.
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
ACCESS_ID_CA |
static java.lang.String |
ACCESS_ID_PREFIX |
(package private) static java.lang.String[] |
ALLOWED_LINE_START |
static java.lang.String |
CONDITION_PREFIX |
static java.lang.String |
CONDITION_SUBJECT |
static java.lang.String |
DEF_AUTH_GLOBUS |
static java.lang.String |
DEF_AUTH_X509 |
private org.apache.commons.logging.Log |
logger |
private static int |
MIN_TOKENS_PER_LINE |
static java.lang.String |
NEG_RIGHTS |
static java.lang.String |
POS_RIGHTS |
static java.lang.String |
SINGLE_CHAR |
static java.lang.String |
SINGLE_PATTERN |
static java.lang.String |
VALUE_CA_SIGN |
static java.lang.String |
WILDCARD |
static java.lang.String |
WILDCARD_PATTERN |
Constructor and Description |
---|
SigningPolicyParser() |
Modifier and Type | Method and Description |
---|---|
private void |
checkRights(java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> policies,
java.io.BufferedReader bufferedReader,
java.lang.String caDN,
boolean usefulEntry,
java.lang.Boolean posNegRights) |
private void |
cleanupReaders(java.io.Reader reader,
java.io.BufferedReader bufferedReader) |
private int |
findIndex(java.lang.String line) |
private java.util.Vector<java.util.regex.Pattern> |
getAllowedDNs(java.lang.String line) |
private java.lang.String |
getCA(java.lang.String inputLine) |
private java.lang.String |
getCaDN(java.lang.String line,
java.lang.String caDN) |
static java.util.regex.Pattern |
getPattern(java.lang.String patternStr)
Method that takes a pattern string as described in the signing policy
file with * for zero or many characters and ? for single character, and
converts it into java.util.regexp.Pattern object.
|
private boolean |
handleConditionalLine(java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> policies,
java.lang.String line,
java.lang.String caDN,
boolean usefulEntry,
java.lang.Boolean posNegRights) |
private java.lang.Boolean |
handleNegativeRights(java.lang.Boolean posNegRights) |
private boolean |
isCASignRight(java.lang.String line) |
private boolean |
isUsefulEntry(java.lang.String line) |
private boolean |
isValidLine(java.lang.String line) |
java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> |
parse(java.io.Reader reader)
Parses input stream to extract signing policy defined for CA with the
specified DN.
|
java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> |
parse(java.lang.String fileName)
Parses the file to extract signing policy defined for CA with the
specified DN.
|
private void |
validatePositiveRights(java.lang.Boolean posNegRights) |
public static final java.lang.String ACCESS_ID_PREFIX
public static final java.lang.String ACCESS_ID_CA
public static final java.lang.String DEF_AUTH_X509
public static final java.lang.String DEF_AUTH_GLOBUS
public static final java.lang.String POS_RIGHTS
public static final java.lang.String NEG_RIGHTS
public static final java.lang.String CONDITION_PREFIX
public static final java.lang.String CONDITION_SUBJECT
public static final java.lang.String VALUE_CA_SIGN
public static final java.lang.String SINGLE_CHAR
public static final java.lang.String WILDCARD
public static final java.lang.String SINGLE_PATTERN
public static final java.lang.String WILDCARD_PATTERN
private static final int MIN_TOKENS_PER_LINE
static final java.lang.String[] ALLOWED_LINE_START
private org.apache.commons.logging.Log logger
public java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> parse(java.lang.String fileName) throws java.io.FileNotFoundException, SigningPolicyException
fileName
- Name of the signing policy fileSigningPolicyException
- Any errors with parsing the signing policy file.java.io.FileNotFoundException
- If the signing policy file does not exist.public java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> parse(java.io.Reader reader) throws SigningPolicyException
reader
- Reader to any input stream to get the signing policy
information.SigningPolicyException
- Any errors with parsing the signing policy.private void checkRights(java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> policies, java.io.BufferedReader bufferedReader, java.lang.String caDN, boolean usefulEntry, java.lang.Boolean posNegRights) throws java.io.IOException, SigningPolicyException
java.io.IOException
SigningPolicyException
private boolean handleConditionalLine(java.util.Map<javax.security.auth.x500.X500Principal,SigningPolicy> policies, java.lang.String line, java.lang.String caDN, boolean usefulEntry, java.lang.Boolean posNegRights) throws SigningPolicyException
SigningPolicyException
private java.lang.String getCaDN(java.lang.String line, java.lang.String caDN) throws SigningPolicyException
SigningPolicyException
private void validatePositiveRights(java.lang.Boolean posNegRights) throws SigningPolicyException
SigningPolicyException
private boolean isUsefulEntry(java.lang.String line) throws SigningPolicyException
SigningPolicyException
private java.lang.Boolean handleNegativeRights(java.lang.Boolean posNegRights) throws SigningPolicyException
SigningPolicyException
private void cleanupReaders(java.io.Reader reader, java.io.BufferedReader bufferedReader)
private boolean isValidLine(java.lang.String line) throws SigningPolicyException
SigningPolicyException
private java.util.Vector<java.util.regex.Pattern> getAllowedDNs(java.lang.String line) throws SigningPolicyException
SigningPolicyException
private boolean isCASignRight(java.lang.String line) throws SigningPolicyException
SigningPolicyException
private java.lang.String getCA(java.lang.String inputLine) throws SigningPolicyException
SigningPolicyException
public static java.util.regex.Pattern getPattern(java.lang.String patternStr)
patternStr
- Pattern string as described in the signing policy file
with for zero or many characters and ? for single
characterprivate int findIndex(java.lang.String line)