Commit 3de32de1 authored by michael.simon's avatar michael.simon
Browse files

first commit for alternative filtering for unregistered services

parent a9b01246
......@@ -12,12 +12,15 @@ package edu.kit.scc.webreg.drools;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.kie.api.runtime.KieSession;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.metadata.EntityDescriptor;
import edu.kit.scc.webreg.entity.GroupEntity;
import edu.kit.scc.webreg.entity.RegistryEntity;
import edu.kit.scc.webreg.entity.RoleEntity;
import edu.kit.scc.webreg.entity.SamlIdpMetadataEntity;
import edu.kit.scc.webreg.entity.SamlSpConfigurationEntity;
import edu.kit.scc.webreg.entity.ServiceEntity;
......@@ -53,4 +56,8 @@ public interface KnowledgeSessionService {
SamlIdpMetadataEntity idp, EntityDescriptor idpEntityDescriptor, SamlSpConfigurationEntity sp)
throws MisconfiguredServiceException;
List<ServiceEntity> checkServiceFilterRule(String unitId, UserEntity user,
List<ServiceEntity> serviceList, Set<GroupEntity> groups,
Set<RoleEntity> roles) throws MisconfiguredServiceException;
}
......@@ -15,6 +15,7 @@ import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ejb.Stateless;
import javax.inject.Inject;
......@@ -41,8 +42,10 @@ import edu.kit.scc.webreg.drools.UnauthorizedUser;
import edu.kit.scc.webreg.entity.AuditStatus;
import edu.kit.scc.webreg.entity.BusinessRulePackageEntity;
import edu.kit.scc.webreg.entity.EventType;
import edu.kit.scc.webreg.entity.GroupEntity;
import edu.kit.scc.webreg.entity.RegistryEntity;
import edu.kit.scc.webreg.entity.RegistryStatus;
import edu.kit.scc.webreg.entity.RoleEntity;
import edu.kit.scc.webreg.entity.SamlIdpMetadataEntity;
import edu.kit.scc.webreg.entity.SamlSpConfigurationEntity;
import edu.kit.scc.webreg.entity.ServiceEntity;
......@@ -112,7 +115,7 @@ public class KnowledgeSessionServiceImpl implements KnowledgeSessionService {
KieSession ksession = getStatefulSession(unitId);
if (ksession == null)
throw new MisconfiguredApplicationException("Es ist keine valide Regel fuer den Benutzer zugriff konfiguriert");
throw new MisconfiguredApplicationException("Es ist keine valide Regel fuer den Benutzerzugriff konfiguriert");
ksession.setGlobal("logger", logger);
ksession.insert(user);
......@@ -141,6 +144,52 @@ public class KnowledgeSessionServiceImpl implements KnowledgeSessionService {
return objectList;
}
@Override
public List<ServiceEntity> checkServiceFilterRule(String unitId, UserEntity user, List<ServiceEntity> serviceList,
Set<GroupEntity> groups, Set<RoleEntity> roles)
throws MisconfiguredServiceException {
KieSession ksession = getStatefulSession(unitId);
if (ksession == null)
throw new MisconfiguredApplicationException("Es ist keine valide Regel fuer den Benutzerzugriff konfiguriert");
ksession.setGlobal("logger", logger);
ksession.insert(user);
for (GroupEntity group : groups)
ksession.insert(group);
for (ServiceEntity service : serviceList)
ksession.insert(service);
ksession.insert(new Date());
ksession.fireAllRules();
List<Object> objectList = new ArrayList<Object>(ksession.getObjects());
List<ServiceEntity> removeList = new ArrayList<ServiceEntity>();
for (Object o : objectList) {
if (logger.isTraceEnabled())
logger.trace("Deleting fact handle for Object {}", o);
FactHandle factHandle = ksession.getFactHandle(o);
if (factHandle != null)
ksession.delete(factHandle);
else
logger.warn("Facthandle for Object {} is null", o);
if (o instanceof ServiceEntity) {
removeList.add((ServiceEntity) o);
}
}
ksession.dispose();
List<ServiceEntity> returnList = new ArrayList<ServiceEntity>(serviceList);
returnList.removeAll(removeList);
return returnList;
}
@Override
public List<Object> checkRule(String packageName, String knowledgeBaseName, String knowledgeBaseVersion,
UserEntity user, ServiceEntity service,
......
......@@ -10,7 +10,6 @@
******************************************************************************/
package edu.kit.scc.webreg.bean;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
......@@ -26,13 +25,10 @@ import org.slf4j.Logger;
import edu.kit.scc.webreg.drools.KnowledgeSessionService;
import edu.kit.scc.webreg.drools.OverrideAccess;
import edu.kit.scc.webreg.drools.UnauthorizedUser;
import edu.kit.scc.webreg.entity.GroupEntity;
import edu.kit.scc.webreg.entity.HomeOrgGroupEntity;
import edu.kit.scc.webreg.entity.RegistryEntity;
import edu.kit.scc.webreg.entity.RegistryStatus;
import edu.kit.scc.webreg.entity.ServiceEntity;
import edu.kit.scc.webreg.entity.UserEntity;
import edu.kit.scc.webreg.service.GroupService;
import edu.kit.scc.webreg.service.RegistryService;
import edu.kit.scc.webreg.service.ServiceService;
import edu.kit.scc.webreg.service.UserService;
......@@ -43,8 +39,7 @@ import edu.kit.scc.webreg.session.SessionManager;
public class UserIndexBean {
private List<ServiceEntity> allServiceList;
private List<ServiceEntity> unregisteredServiceList;
private List<RegistryEntity> userRegistryList;
private List<RegistryEntity> pendingRegistryList;
......@@ -67,9 +62,6 @@ public class UserIndexBean {
@Inject
private UserService userService;
@Inject
private GroupService groupService;
@Inject
private KnowledgeSessionService knowledgeSessionService;
......@@ -81,63 +73,14 @@ public class UserIndexBean {
userRegistryList.addAll(registryService.findByUserAndStatus(user, RegistryStatus.LOST_ACCESS));
pendingRegistryList = registryService.findByUserAndStatus(user, RegistryStatus.PENDING);
unregisteredServiceList = new ArrayList<ServiceEntity>(allServiceList);
serviceAccessMap = new HashMap<ServiceEntity, String>(userRegistryList.size());
for (RegistryEntity registry : userRegistryList) {
unregisteredServiceList.remove(registry.getService());
}
for (RegistryEntity registry : pendingRegistryList) {
unregisteredServiceList.remove(registry.getService());
}
long start = System.currentTimeMillis();
checkServiceAccess(userRegistryList, user);
long end = System.currentTimeMillis();
logger.debug("Rule processing took {} ms", end - start);
List<GroupEntity> groupList = groupService.findByUser(user);
String groupString = groupsToString(groupList);
List<ServiceEntity> serviceToRemove = new ArrayList<ServiceEntity>();
for (ServiceEntity s : unregisteredServiceList) {
Map<String, String> serviceProps = s.getServiceProps();
if (serviceProps.containsKey("idp_filter")) {
String idpFilter = serviceProps.get("idp_filter");
if (idpFilter != null &&
(! idpFilter.contains(user.getIdp().getEntityId())))
serviceToRemove.add(s);
}
if (s.getServiceProps().containsKey("group_filter")) {
String groupFilter = serviceProps.get("group_filter");
if (groupFilter != null &&
(! groupString.matches(groupFilter)))
serviceToRemove.add(s);
}
if (s.getServiceProps().containsKey("entitlement_filter")) {
String entitlementFilter = serviceProps.get("entitlement_filter");
String entitlement = user.getAttributeStore().get("urn:oid:1.3.6.1.4.1.5923.1.1.1.7");
if (entitlementFilter != null && entitlement != null &&
(! entitlement.matches(entitlementFilter)))
serviceToRemove.add(s);
}
}
unregisteredServiceList.removeAll(serviceToRemove);
}
public Boolean isServiceRegistered(ServiceEntity service) {
if (service == null)
return false;
return (! unregisteredServiceList.contains(service));
}
public String getServiceAccessStatus(ServiceEntity service) {
return serviceAccessMap.get(service);
}
......@@ -183,21 +126,5 @@ public class UserIndexBean {
serviceAccessMap.put(registry.getService(), sb.toString());
}
}
private String groupsToString(List<GroupEntity> groupList) {
StringBuilder sb = new StringBuilder();
for (GroupEntity group : groupList) {
if (group instanceof HomeOrgGroupEntity &&
((HomeOrgGroupEntity) group).getPrefix() != null) {
sb.append(((HomeOrgGroupEntity) group).getPrefix());
}
sb.append("_");
sb.append(group.getName());
sb.append(";");
}
if (sb.length() > 0)
sb.setLength(sb.length() - 1);
return sb.toString();
}
}
......@@ -25,6 +25,7 @@ import javax.inject.Named;
import org.slf4j.Logger;
import edu.kit.scc.webreg.bootstrap.ApplicationConfig;
import edu.kit.scc.webreg.drools.KnowledgeSessionService;
import edu.kit.scc.webreg.entity.AdminRoleEntity;
import edu.kit.scc.webreg.entity.ApproverRoleEntity;
import edu.kit.scc.webreg.entity.GroupAdminRoleEntity;
......@@ -79,6 +80,9 @@ public class AuthorizationBean implements Serializable {
@Inject
private RoleCache roleCache;
@Inject
private KnowledgeSessionService knowledgeSessionService;
@PostConstruct
private void init() {
if (sessionManager.getUserId() == null)
......@@ -118,46 +122,7 @@ public class AuthorizationBean implements Serializable {
end = System.currentTimeMillis();
logger.trace("groups loading took {} ms", (end-start));
}
start = System.currentTimeMillis();
userRegistryList = registryService.findByUserAndNotStatus(user, RegistryStatus.DELETED, RegistryStatus.DEPROVISIONED);
end = System.currentTimeMillis();
logger.trace("registered servs loading took {} ms", (end-start));
unregisteredServiceList = serviceService.findAllPublishedWithServiceProps();
for (RegistryEntity registry : userRegistryList) {
unregisteredServiceList.remove(registry.getService());
}
List<ServiceEntity> serviceToRemove = new ArrayList<ServiceEntity>();
for (ServiceEntity s : unregisteredServiceList) {
Map<String, String> serviceProps = s.getServiceProps();
if (serviceProps.containsKey("idp_filter")) {
String idpFilter = serviceProps.get("idp_filter");
if (idpFilter != null &&
(! idpFilter.contains(user.getIdp().getEntityId())))
serviceToRemove.add(s);
}
if (s.getServiceProps().containsKey("group_filter")) {
String groupFilter = serviceProps.get("group_filter");
if (groupFilter != null &&
(! sessionManager.getGroupNames().contains(groupFilter)))
serviceToRemove.add(s);
}
if (s.getServiceProps().containsKey("entitlement_filter")) {
String entitlementFilter = serviceProps.get("entitlement_filter");
String entitlement = user.getAttributeStore().get("urn:oid:1.3.6.1.4.1.5923.1.1.1.7");
if (entitlementFilter != null && entitlement != null &&
(! entitlement.matches(entitlementFilter)))
serviceToRemove.add(s);
}
}
unregisteredServiceList.removeAll(serviceToRemove);
if (sessionManager.getRoleSetCreated() == null ||
(System.currentTimeMillis() - sessionManager.getRoleSetCreated()) > rolesTimeout) {
start = System.currentTimeMillis();
......@@ -190,6 +155,60 @@ public class AuthorizationBean implements Serializable {
sessionManager.setRoleSetCreated(System.currentTimeMillis());
}
start = System.currentTimeMillis();
userRegistryList = registryService.findByUserAndNotStatus(user, RegistryStatus.DELETED, RegistryStatus.DEPROVISIONED);
end = System.currentTimeMillis();
logger.trace("registered servs loading took {} ms", (end-start));
unregisteredServiceList = serviceService.findAllPublishedWithServiceProps();
for (RegistryEntity registry : userRegistryList) {
unregisteredServiceList.remove(registry.getService());
}
if (appConfig.getConfigValue("service_filter_rule") != null) {
String serviceFilterRule = appConfig.getConfigValue("service_filter_rule");
logger.debug("Checking service filter rule {}", serviceFilterRule);
start = System.currentTimeMillis();
unregisteredServiceList = knowledgeSessionService.checkServiceFilterRule(
serviceFilterRule, user, unregisteredServiceList,
sessionManager.getGroups(), sessionManager.getRoles());
end = System.currentTimeMillis();
logger.debug("Rule processing took {} ms", end - start);
}
else {
List<ServiceEntity> serviceToRemove = new ArrayList<ServiceEntity>();
for (ServiceEntity s : unregisteredServiceList) {
Map<String, String> serviceProps = s.getServiceProps();
if (serviceProps.containsKey("idp_filter")) {
String idpFilter = serviceProps.get("idp_filter");
if (idpFilter != null &&
(! idpFilter.contains(user.getIdp().getEntityId())))
serviceToRemove.add(s);
}
if (s.getServiceProps().containsKey("group_filter")) {
String groupFilter = serviceProps.get("group_filter");
if (groupFilter != null &&
(! sessionManager.getGroupNames().contains(groupFilter)))
serviceToRemove.add(s);
}
if (s.getServiceProps().containsKey("entitlement_filter")) {
String entitlementFilter = serviceProps.get("entitlement_filter");
String entitlement = user.getAttributeStore().get("urn:oid:1.3.6.1.4.1.5923.1.1.1.7");
if (entitlementFilter != null && entitlement != null &&
(! entitlement.matches(entitlementFilter)))
serviceToRemove.add(s);
}
}
unregisteredServiceList.removeAll(serviceToRemove);
}
}
public boolean isUserInRole(String roleName) {
......
......@@ -215,4 +215,8 @@ public class SessionManager implements Serializable {
public List<ServiceEntity> getServiceGroupAdminList() {
return serviceGroupAdminList;
}
public Set<RoleEntity> getRoles() {
return roles;
}
}
......@@ -142,37 +142,35 @@
<h:outputText value="#{messages.index_text3}" />
</div>
<div>
<ui:repeat var="service" value="#{userIndexBean.allServiceList}">
<h:panelGroup rendered="#{not userIndexBean.isServiceRegistered(service)}">
<div class="serviceBlock">
<div class="serviceBlockHeader">
<h:outputText value="#{service.name}" />
</div>
<h:panelGroup rendered="#{service.image != null}">
<div class="serviceBlockImage">
<p:graphicImage
value="#{request.contextPath}/rest/image/icon/#{service.image.id}" />
</div>
</h:panelGroup>
<div class="serviceBlockDesc">
<h:outputText value="#{service.shortDescription}" />
<br />
<h:outputText value="#{userIndexBean.getServiceAccessStatus(registry.service)}" />
</div>
<div class="serviceBlockLink">
<span class="ui-icon ui-icon-script" style="display:inline-block; vertical-align: bottom;" />
<h:link outcome="/service/index.xhtml" value="#{messages.service_desc}">
<f:param name="serviceId" value="#{service.id}" />
</h:link>
</div>
<div class="serviceBlockLink">
<span class="ui-icon ui-icon-carat-1-e" style="display:inline-block; vertical-align: bottom;" />
<h:link outcome="/user/register-service.xhtml" value="#{messages.register}">
<f:param name="serviceId" value="#{service.id}" />
</h:link>
<ui:repeat var="service" value="#{authorizationBean.unregisteredServiceList}">
<div class="serviceBlock">
<div class="serviceBlockHeader">
<h:outputText value="#{service.name}" />
</div>
<h:panelGroup rendered="#{service.image != null}">
<div class="serviceBlockImage">
<p:graphicImage
value="#{request.contextPath}/rest/image/icon/#{service.image.id}" />
</div>
</h:panelGroup>
<div class="serviceBlockDesc">
<h:outputText value="#{service.shortDescription}" />
<br />
<h:outputText value="#{userIndexBean.getServiceAccessStatus(registry.service)}" />
</div>
<div class="serviceBlockLink">
<span class="ui-icon ui-icon-script" style="display:inline-block; vertical-align: bottom;" />
<h:link outcome="/service/index.xhtml" value="#{messages.service_desc}">
<f:param name="serviceId" value="#{service.id}" />
</h:link>
</div>
<div class="serviceBlockLink">
<span class="ui-icon ui-icon-carat-1-e" style="display:inline-block; vertical-align: bottom;" />
<h:link outcome="/user/register-service.xhtml" value="#{messages.register}">
<f:param name="serviceId" value="#{service.id}" />
</h:link>
</div>
</h:panelGroup>
</div>
</ui:repeat>
</div>
......
package edu.kit.scc.webreg.drools.sf;
import edu.kit.scc.webreg.entity.UserEntity;
import edu.kit.scc.webreg.entity.GroupEntity;
import edu.kit.scc.webreg.entity.LocalGroupEntity;
import edu.kit.scc.webreg.entity.ServiceEntity;
global org.slf4j.Logger logger;
rule "Filter test"
when
$user : UserEntity( eppn == "ugcne@student.kit.edu" )
$service : ServiceEntity( shortName == "ucb" )
then
logger.debug( "allow user {} for service {}", $user.getEppn(), $service.getName() );
retract( $service );
end
rule "FH1 Filter"
when
$user : UserEntity()
$service : ServiceEntity( shortName == "fh1" )
$group : LocalGroupEntity( name == "fh1-access" )
then
logger.debug( "allow user {} for service {}, because of membership in group {}", $user.getEppn(), $service.getName(), $group.getName() );
retract( $service );
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment