/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* https://opensso.dev.java.net/public/CDDLv1.0.html or
* opensso/legal/CDDLv1.0.txt
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: XACMLAuthzDecisionQueryImpl.java,v 1.4 2008/06/25 05:48:15 qcheng Exp $
*
*/
package com.sun.identity.xacml.saml2.impl;
import com.sun.identity.saml2.assertion.AssertionFactory;
import com.sun.identity.saml2.common.SAML2Exception;
import com.sun.identity.saml2.protocol.impl.RequestAbstractImpl;
import com.sun.identity.saml2.protocol.ProtocolFactory;
import com.sun.identity.shared.xml.XMLUtils;
import com.sun.identity.shared.DateUtils;
import com.sun.identity.xacml.common.XACMLException;
import com.sun.identity.xacml.common.XACMLConstants;
import com.sun.identity.xacml.common.XACMLSDKUtils;
import com.sun.identity.xacml.context.Request;
import com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery;
import com.sun.identity.xacml.context.ContextFactory;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import java.text.ParseException;
/**
* The XACMLAuthzDecisionQueryImpl
is an impelmentation
* of XACMLAuthzDecisionQuery
interface.
*
* The XACMLAuthzDecisionQuery
element is a SAML Query that
* extends SAML Protocol schema type RequestAbstractType
.
* It allows an XACML PEP to submit an XACML Request Context in a SAML
* Query along with other information. This element is an alternative to
* SAML defined
that allows an
* XACML PEP to communicate with an XACML PDP using SAML2 protocol.
*
*
*<xs:element name="XACMLAuthzDecisionQuery" * type="XACMLAuthzDecisionQueryType"/> *<xs:complexType name="XACMLAuthzDecisionQueryType"> * <xs:complexContent> * <xs:extension base="samlp:RequestAbstractType"> * <xs:sequence> * <xs:element ref="xacml-context:Request"/> * <xs:sequence> * <xs:attribute name="InputContextOnly" * type="boolean" * use="optional" * default="false"/> * <xs:attribute name="ReturnContext" * type="boolean" * use="optional" * default="false"/> * <xs:extension> * <xs:complexContent> *<xs:complexType> ** * Schema for Base: *
* <complexType name="RequestAbstractType" abstract="true"> * <sequence> * <element ref="saml:Issuer" minOccurs="0"/> * <element ref="ds:Signature" minOccurs="0"/> * <element ref="samlp:Extensions" minOccurs="0"/> * <sequence> * <attribute name="ID" type="ID" use="required"/> * <attribute name="Version" type="string" use="required"/> * <attribute name="IssueInstant" type="dateTime" use="required"/> * <attribute name="Destination" type="anyURI" use="optional"/> * <attribute name="Consent" type="anyURI" use="optional"/> * <complexType> **@supported.all.api */ public class XACMLAuthzDecisionQueryImpl extends RequestAbstractImpl implements XACMLAuthzDecisionQuery { //TODO: need to reimplement toXML, toXML, process, //makeImmutable, isMutable methods private boolean inputContextOnly = false; private boolean returnContext = false; private Request request; private String xmlString; /** * Default constructor */ public XACMLAuthzDecisionQueryImpl() { isMutable = true; } /** * This constructor is used to build
XACMLAuthzDecisionQuery
* object from a block of existing XML that has already been built into a
* DOM.
*
* @param element A org.w3c.dom.Element
representing
* DOM tree for XACMLAuthzDecisionQuery
object
* @exception SAML2Exception if it could not process the Element
*/
public XACMLAuthzDecisionQueryImpl(Element element) throws SAML2Exception {
parseDOMElement(element);
if (isSigned) {
signedXMLString = XMLUtils.print(element);
}
}
/**
* This constructor is used to build XACMLAuthzDecisionQuery
* object from a XML string.
*
* @param xml A java.lang.String
representing
* an XACMLAuthzDecisionQuery
object
* @exception XACMLException if it could not process the XML string
*/
public XACMLAuthzDecisionQueryImpl(String xml) throws SAML2Exception {
Document document = XMLUtils.toDOMDocument(xml, XACMLSDKUtils.debug);
if (document != null) {
Element rootElement = document.getDocumentElement();
parseDOMElement(rootElement);
this.xmlString = xml;
if(isSigned) {
signedXMLString = xml;
}
} else {
XACMLSDKUtils.debug.error(
"XACMLAuthzDecisionQueryImpl.processElement(): invalid XML "
+"input");
throw new XACMLException(XACMLSDKUtils.xacmlResourceBundle.getString(
"errorObtainingElement"));
}
}
/**
* Returns the XML attribute boolean value which governs the
* source of information that the PDP is allowed to use in
* making an authorization decision. If this attribute is "true"
* then it indiactes that the authorization decision has been made
* solely on the basis of information contained in the
* XACMLAuthzDecisionQuery
; no external attributes have been
* used. If this value is "false" then the decision may have been made
* on the basis of external attributes not conatined in the
* XACMLAuthzDecisionQuery
.
* @return boolean
indicating the value
* of this attribute.
*/
public boolean getInputContextOnly() {
return inputContextOnly;
}
/**
* Sets the XML attribute boolean value which governs the
* source of information that the PDP is allowed to use in
* making an authorization decision. If this attribute is "true"
* then it indicates to the PDP that the authorization decision has to be
* made solely on the basis of information contained in the
* XACMLAuthzDecisionQuery
; no external attributes may be
* used. If this value is "false" then the decision can be made
* on the basis of external attributes not conatined in the
* XACMlAuthzDecisionQuery
.
* @param inputContextOnly boolean
indicating the value
* of this attribute.
*
* @exception XACMLException if the object is immutable
* An object is considered immutable
if
* makeImmutable()
has been invoked on it. It can
* be determined by calling isMutable
on the object.
*/
public void setInputContextOnly(boolean inputContextOnly) throws
XACMLException
{
this.inputContextOnly = inputContextOnly;
}
/**
* Returns the XML attribute boolean value which provides means
* to PEP to request that an xacml-context>Request
* element be included in the XACMlAuthzdecisionStatement
* resulting from the request. It also governs the contents of that
* xacml-context:Request
element in the
* XACMLAuthzDecisionStatement
element in the
* XACMLResponse
.
* The xacml-context:Request
SHALL include all the attributes
* supplied by the PEP in the AuthzDecisionQuery
which were
* used in making the authz decision. Other addtional attributes which may
* have been used by the PDP may be included.
* If this attribute is "false" then the PDP SHALL NOT include the
* xacml-context:Request
element in the
* XACMLAuthzDecisionStatement.
*
* @return boolean
indicating the value
* of this attribute.
*/
public boolean getReturnContext() {
return returnContext;
}
/**
* Sets the boolean value for this XML attribute
*
* @param returnContext boolean
indicating the value
* of this attribute.
*
* @exception XACMLException if the object is immutable
* An object is considered immutable
if
* makeImmutable()
has been invoked on it. It can
* be determined by calling isMutable
on the object.
*
* @see #getReturnContext()
*/
public void setReturnContext(boolean returnContext) throws XACMLException {
this.returnContext = returnContext;
}
/**
* Returns the xacml-context:Request
element of this object
*
* @return the xacml-context:Request
elements of this object
*/
public Request getRequest() {
return request;
}
/**
* Sets the xacml-context:Request
element of this object
*
* @param request the xacml-context:Request
element of this
* object.
*
* @exception XACMLException if the object is immutable
* An object is considered immutable
if
* makeImmutable()
has been invoked on it. It can
* be determined by calling isMutable
on the object.
*/
public void setRequest(Request request) throws XACMLException {
if (request == null) {
throw new XACMLException(
XACMLSDKUtils.xacmlResourceBundle.getString(
"null_not_valid"));
}
this.request = request;
}
/**
* Returns a string representation of this object
*
* @return a string representation of this object
* @exception XACMLException if conversion fails for any reason
*/
public String toXMLString() throws XACMLException {
//top level element
return toXMLString(true, true);
}
/**
* Returns a String
representation of this object
* @param includeNSPrefix Determines whether or not the namespace qualifier
* is prepended to the Element when converted
* @param declareNS Determines whether or not the namespace is declared
* within the Element.
* @return a string representation of this object
* @exception XACMLException if conversion fails for any reason
*/
public String toXMLString(boolean includeNSPrefix, boolean declareNS)
throws XACMLException {
if (isSigned && signedXMLString != null) {
return signedXMLString;
}
//validateData();
StringBuffer sb = new StringBuffer(1000);
String nsPrefix = "";
String nsDeclaration = "";
if (declareNS) {
nsDeclaration = XACMLConstants.SAMLP_NS_DECLARATION;
}
if (includeNSPrefix) {
nsPrefix = XACMLConstants.SAMLP_NS_PREFIX;
}
sb.append("\n<")
.append(XACMLConstants.SAMLP_NS_PREFIX)
.append(XACMLConstants.REQUEST_ABSTRACT)
.append(XACMLConstants.SAMLP_NS_DECLARATION)
.append(XACMLConstants.XSI_TYPE_XACML_AUTHZ_DECISION_QUERY)
.append(XACMLConstants.XSI_NS_DECLARATION)
.append(XACMLConstants.XACML_SAMLP_NS_DECLARATION)
.append(XACMLConstants.SPACE)
.append(XACMLConstants.XACML_SAMLP_NS_PREFIX)
.append(XACMLConstants.INPUT_CONTEXT_ONLY).append("=")
.append(XACMLSDKUtils.quote(Boolean.toString(inputContextOnly)))
.append(XACMLConstants.SPACE)
.append(XACMLConstants.XACML_SAMLP_NS_PREFIX)
.append(XACMLConstants.RETURN_CONTEXT).append("=")
.append(XACMLSDKUtils.quote(Boolean.toString(returnContext)))
.append(XACMLConstants.SPACE)
.append("ID").append("=")
.append(XACMLSDKUtils.quote(requestId))
.append(XACMLConstants.SPACE)
.append("Version").append("=")
.append(XACMLSDKUtils.quote(version))
.append(XACMLConstants.SPACE)
.append("IssueInstant").append("=")
.append(XACMLSDKUtils.quote(DateUtils.toUTCDateFormat(
issueInstant)));
if (destinationURI != null && destinationURI.trim().length() != 0) {
sb.append(" Destination=\"").append(destinationURI).
append("\"");
}
if (consent != null && consent.trim().length() != 0) {
sb.append(" Consent=\"").append(consent).append("\"");
}
sb.append(">\n");
try {
if (nameID != null) {
sb.append(nameID.toXMLString(includeNSPrefix, declareNS));
}
if (signatureString != null) {
sb.append(signatureString);
}
if (extensions != null) {
sb.append(extensions.toXMLString(includeNSPrefix, declareNS));
}
} catch (Exception e) {
}
if (request != null) {
sb.append(request.toXMLString(true, true)).append("\n");
}
sb.append("\n")
.append(XACMLConstants.SAMLP_NS_PREFIX)
.append(XACMLConstants.REQUEST_ABSTRACT)
.append(">\n");
return sb.toString();
}
protected void parseDOMElement(Element element) throws SAML2Exception {
//TODO: fix
String value = null;
if (element == null) {
XACMLSDKUtils.debug.error(
"XACMLAuthzDecisionQueryImpl.processElement(): "
+ "invalid root element");
throw new XACMLException( XACMLSDKUtils.xacmlResourceBundle.getString(
"invalid_element"));
}
// First check that we're really parsing an XACMLAuthzDecisionQuery
if (! element.getLocalName().equals(
XACMLConstants.REQUEST_ABSTRACT)) {
XACMLSDKUtils.debug.error(
"XACMLAuthzDecisionQueryImpl.processElement(): "
+ "invalid root element");
throw new XACMLException( XACMLSDKUtils.xacmlResourceBundle.getString(
"missing_local_name"));
}
//TODO: check for xsi:type=
// now we get the request
NodeList nodes = element.getChildNodes();
ContextFactory factory = ContextFactory.getInstance();
for (int i = 0; i < nodes.getLength(); i++) {
Node node = nodes.item(i);
if ((node.getNodeType() == Node.ELEMENT_NODE) ||
(node.getNodeType() == Node.ATTRIBUTE_NODE)) {
if (node.getLocalName().equals(XACMLConstants.REQUEST)) {
if (request != null) {
//validation error, throw error
} else {
request = factory.getInstance().createRequest(
(Element)node);
}
}
}
}
// make sure we got a request
if (request == null) {
//throw new XACMLException(
// XACMLSDKUtils.xacmlResourceBundle.getString(
// "null_not_valid"));
}
System.out.println("ReturnContex:" + element.getAttributeNS(
XACMLConstants.XACML_SAMLP_NS_URI,
XACMLConstants.RETURN_CONTEXT));
System.out.println("InputContextOnly:" + element.getAttributeNS(
XACMLConstants.XACML_SAMLP_NS_URI,
XACMLConstants.INPUT_CONTEXT_ONLY));
String returnContextString = element.getAttributeNS(
XACMLConstants.XACML_SAMLP_NS_URI,
XACMLConstants.RETURN_CONTEXT);
if (returnContextString != null) {
returnContext = Boolean.valueOf(returnContextString).booleanValue();
}
String inputContextOnlyString = element.getAttributeNS(
XACMLConstants.XACML_SAMLP_NS_URI,
XACMLConstants.INPUT_CONTEXT_ONLY);
if (inputContextOnlyString != null) {
inputContextOnly = Boolean.valueOf(inputContextOnlyString)
.booleanValue();
}
NamedNodeMap attrs = element.getAttributes();
//TODO: change the baseclass impl and call super.parse...
//parse the attributes of base class RequestAbstract
NamedNodeMap atts = ((Node)element).getAttributes();
if (atts != null) {
int length = atts.getLength();
for (int i = 0; i < length; i++) {
Attr attr = (Attr) atts.item(i);
String attrName = attr.getName();
String attrValue = attr.getValue().trim();
if (attrName.equals("ID")) {
requestId = attrValue;
} else if (attrName.equals("Version")) {
version = attrValue;
} else if (attrName.equals("IssueInstant")) {
try {
issueInstant = DateUtils.stringToDate(attrValue);
} catch (ParseException pe) {
throw new XACMLException(pe.getMessage());
}
} else if (attrName.equals("Destination")) {
destinationURI = attrValue;
}
}
}
//parse the elements of base class RequestAbstract
NodeList nl = element.getChildNodes();
Node child;
String childName;
int length = nl.getLength();
for (int i = 0; i < length; i++) {
child = nl.item(i);
if ((childName = child.getLocalName()) != null) {
if (childName.equals("Issuer")) {
if (nameID != null) {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message(
"ArtifactResolveImpl.parse"
+ "Element: included more than one Issuer.");
}
throw new XACMLException(
XACMLSDKUtils.xacmlResourceBundle.getString(
"invalid_duplicate_element"));
}
if (signatureString != null ||
extensions != null )
{
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message(
"ArtifactResolveImpl.parse"
+ "Element:wrong sequence.");
}
throw new XACMLException(
XACMLSDKUtils.xacmlResourceBundle.getString(
"schemaViolation"));
}
nameID = AssertionFactory.getInstance().createIssuer(
(Element) child);
} else if (childName.equals("Signature")) {
if (signatureString != null) {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message(
"ArtifactResolveImpl.parse"
+ "Element:included more than one Signature.");
}
throw new XACMLException(
XACMLSDKUtils.xacmlResourceBundle.getString(
"invalid_duplicate_element"));
}
if (extensions != null ) {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message(
"ArtifactResolveImpl.parse"
+ "Element:wrong sequence.");
}
throw new XACMLException(
XACMLSDKUtils.xacmlResourceBundle.getString(
"schemaViolation"));
}
signatureString = XMLUtils.print((Element) child);
isSigned = true;
} else if (childName.equals("Extensions")) {
if (extensions != null) {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message(
"ArtifactResolveImpl.parse"
+ "Element:included more than one Extensions.");
}
throw new XACMLException(
XACMLSDKUtils.xacmlResourceBundle.getString(
"invalid_duplicate_element"));
}
extensions = ProtocolFactory.getInstance().createExtensions(
(Element) child);
} else if (childName.equals("Request")) {
//no action, it has been processd already
} else {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message(
"XACMLAuthzDecisionQueryImpl.parseDOMElement"
+ "Element: Invalid element:" + childName);
}
throw new XACMLException(
XACMLSDKUtils.xacmlResourceBundle.getString(
"invalidElement"));
}
}
}
validateData();
}
/**
* Makes the object immutable
*/
public void makeImmutable() {
//TODO: fix
}
protected void validateData() throws SAML2Exception {
//TODO: fix or remove?
super.validateData();
}
}