Skip to content
Browse files

alternative authz plugins are no longer part of the main Nimbus repos…

…itory, see the authz-plugins branch
  • Loading branch information...
1 parent e78fc5e commit 706a79b3363b6a4077e0daf1d4b3289b9fb10dbd @timf timf committed May 12, 2010
Showing with 0 additions and 3,327 deletions.
  1. +0 −105 plugins/authz/python/build.xml
  2. +0 −8 plugins/authz/python/etc/example.py
  3. +0 −62 plugins/authz/python/etc/printinfo.py
  4. BIN plugins/authz/python/lib-undeployed/globus_voms_interceptors.jar
  5. BIN plugins/authz/python/lib-undeployed/gridshib-gt-0_3_3.jar
  6. +0 −9 plugins/authz/python/lib-undeployed/notes.txt
  7. +0 −145 plugins/authz/python/lib/jython.LICENSE
  8. BIN plugins/authz/python/lib/jython.jar
  9. +0 −11 plugins/authz/python/lib/notes.txt
  10. +0 −72 plugins/authz/python/src/org/globus/jython/Jython.java
  11. +0 −25 plugins/authz/python/src/org/globus/jython/JythonLoader.java
  12. +0 −40 plugins/authz/python/src/org/globus/jython/log.java
  13. +0 −132 plugins/authz/python/src/org/globus/workspace/interceptors/jython/PythonAuthorization.java
  14. +0 −83 plugins/authz/python/src/org/globus/workspace/interceptors/jython/Shib.java
  15. +0 −31 plugins/authz/python/src/org/globus/workspace/interceptors/jython/ShibUtil.java
  16. +0 −85 plugins/authz/python/src/org/globus/workspace/interceptors/jython/Voms.java
  17. +0 −31 plugins/authz/python/src/org/globus/workspace/interceptors/jython/VomsUtil.java
  18. +0 −429 plugins/authz/python/src/org/globus/workspace/interceptors/jython/WorkspacePythonAuthorization.java
  19. +0 −77 plugins/authz/voms/bootstrap/org/globus/MajorMinorVersion.java
  20. +0 −288 plugins/authz/voms/build.xml
  21. +0 −1 plugins/authz/voms/etc/sample-attr-authz
  22. BIN plugins/authz/voms/lib/glite-security-util-java.jar
  23. +0 −122 plugins/authz/voms/src-proxies/4.0/org/globus/voms/PDP.java
  24. +0 −78 plugins/authz/voms/src-proxies/4.0/org/globus/voms/PIP.java
  25. +0 −156 plugins/authz/voms/src-proxies/4.1+/org/globus/voms/PDP.java
  26. +0 −103 plugins/authz/voms/src-proxies/4.1+/org/globus/voms/PIP.java
  27. +0 −154 plugins/authz/voms/src/org/globus/voms/impl/ACLPDP.java
  28. +0 −31 plugins/authz/voms/src/org/globus/voms/impl/PDPDecision.java
  29. +0 −40 plugins/authz/voms/src/org/globus/voms/impl/VomsConstants.java
  30. +0 −55 plugins/authz/voms/src/org/globus/voms/impl/VomsCredentialInformation.java
  31. +0 −177 plugins/authz/voms/src/org/globus/voms/impl/VomsCredentialPIP.java
  32. +0 −635 plugins/authz/voms/src/org/globus/voms/impl/VomsPDP.java
  33. +0 −122 plugins/authz/voms/src/org/globus/voms/impl/VomsPDPPolicy.java
  34. +0 −20 plugins/authz/voms/src/org/globus/wsrf/security/authorization/attributes/AttributeInformation.java
View
105 plugins/authz/python/build.xml
@@ -1,105 +0,0 @@
-<?xml version="1.0"?>
-
-<project default="deploy" basedir=".">
-
- <!-- Build file for a Workspace Service authorization module -->
-
- <!-- package name for this gar -->
- <property name="package.name" value="workspace_python_authorization"/>
-
- <property name="java.debug" value="on"/>
-
- <property environment="env"/>
- <property name="env.GLOBUS_LOCATION" value="../../../../../install"/>
- <property name="deploy.dir" location="${env.GLOBUS_LOCATION}"/>
- <property name="abs.deploy.dir" location="${deploy.dir}"/>
- <property name="gar.name" value="${package.name}.gar"/>
-
- <!-- Directories created on build -->
- <property name="build.dir" location="build"/>
- <property name="build.dest" location="build/classes"/>
- <property name="build.lib.dir" location="build/lib"/>
-
- <property name="src.dir" location="src"/>
- <property name="jar.name" value="${package.name}.jar"/>
- <property name="gar.name" value="${package.name}.gar"/>
-
- <property name="garjars.id" value="garjars"/>
- <fileset dir="${build.lib.dir}" id="garjars"/>
- <property name="lib.dir" location="lib"/>
-
- <property name="compile.lib.dir" location="lib-undeployed"/>
-
- <property name="garetc.id" value="garEtc"/>
- <fileset dir="etc" id="garEtc"/>
-
- <!-- Refer to standard build files for deployment -->
- <property name="build.packages" location=
- "${abs.deploy.dir}/share/globus_wsrf_common/build-packages.xml"/>
-
- <path id="classpath">
- <fileset dir="${abs.deploy.dir}/lib">
- <include name="*.jar"/>
- </fileset>
- <fileset dir="${lib.dir}">
- <include name="*.jar"/>
- </fileset>
- <fileset dir="${compile.lib.dir}">
- <include name="*.jar"/>
- </fileset>
- </path>
-
- <target name="init">
- <mkdir dir="${build.dir}"/>
- <mkdir dir="${build.dest}"/>
- <mkdir dir="${build.lib.dir}"/>
- </target>
-
- <target name="compile" depends="init">
- <javac srcdir="${src.dir}" destdir="${build.dest}"
- debug="on" classpathref="classpath">
- <include name="**/*.java"/>
- </javac>
- <copy todir="${build.lib.dir}">
- <fileset dir="${lib.dir}">
- <include name="*.jar"/>
- <include name="*LICENSE*"/>
- </fileset>
- </copy>
- <copy todir="${build.dest}" >
- <fileset dir="src" includes="**/*.properties" />
- <fileset dir="src" includes="**/*.xml" />
- </copy>
- </target>
-
- <target name="jar" depends="compile">
- <jar destfile="${build.lib.dir}/${jar.name}"
- basedir="${build.dest}"/>
- </target>
-
- <target name="dist" depends="jar">
- <ant antfile="${build.packages}" target="makeGar">
- <reference refid="${garjars.id}"/>
- <reference refid="${garetc.id}"/>
- </ant>
- </target>
-
- <target name="clean">
- <delete dir="tmp"/>
- <delete dir="${build.dir}"/>
- <delete file="${gar.name}"/>
- </target>
-
- <target name="deploy" depends="dist">
- <ant antfile="${build.packages}" target="deployGar">
- <property name="gar.id" value="${package.name}"/>
- </ant>
- </target>
-
- <target name="undeploy">
- <ant antfile="${build.packages}" target="undeployGar">
- <property name="gar.id" value="${package.name}"/>
- </ant>
- </target>
-
-</project>
View
8 plugins/authz/python/etc/example.py
@@ -1,8 +0,0 @@
-if DN == "/goodguy":
- print "we like this client no matter what: " + DN
- decision = PERMIT
-elif req.memory <= 256:
- decision = PERMIT
-else:
- decision = DENY
-
View
62 plugins/authz/python/etc/printinfo.py
@@ -1,62 +0,0 @@
-# This example just prints out everything known about the subject
-# and request to stdout.
-
-# If "$GLOBUS_LOCATION/container-log4j.properties" includes:
-#
-# log4j.category.org.globus.jython.log=INFO
-#
-# then the authorization module will log the stdout print
-# statements in this script.
-#
-# For processing time and stderr log statements use:
-#
-# log4j.category.org.globus.jython.log=DEBUG
-
-print "\nSUBJECT:"
-
-if DN:
- print "DN: " + DN
-
-if voms:
- print "voms VO: %s" + voms.VO
- print "voms hostport: %s" + voms.hostport
- print "found %d VOMS attributes" % len(voms.attributes)
- for i in voms.attributes:
- print i
-
-if shib:
- print "found %d SAML attributes" % len(shib.attributes)
- for i in shib.attributes:
- print " name: %s" % i.name
- print "namespace: %s" % i.namespace
- if i.values:
- print " values:"
- for j in i.values:
- print " : %s" % j
-
-print "\nREQUEST:"
-
-print "req.memory: %d" % req.memory
-print "req.duration_secs: %d" % req.duration_secs
-
-if len(req.images) > 0:
- print "req.images[0] (root disk): " + req.images[0]
-
-if req.kernel:
- print "req.kernel: " + req.kernel
-
-if req.kernelParams:
- print "req.kernelParams: " + req.kernelParams
-
-print "found %d NIC(s)" % len(req.nics)
-for i in req.nics:
- print "NIC:"
- print " ip : %s" % i.ip
- print " name : %s" % i.name
- print "association : %s" % i.association
- print " hostname : %s" % i.hostname
- print " gateway : %s" % i.gateway
- print " mode : %s" % i.mode
- print " method : %s" % i.method
-
-decision = DENY
View
BIN plugins/authz/python/lib-undeployed/globus_voms_interceptors.jar
Binary file not shown.
View
BIN plugins/authz/python/lib-undeployed/gridshib-gt-0_3_3.jar
Binary file not shown.
View
9 plugins/authz/python/lib-undeployed/notes.txt
@@ -1,9 +0,0 @@
-These jars are so that we do not need to deploy the VOMS and GridShib
-plugins just to build and deploy the Python authorization callout.
-
-If the classloader can not find the appropriate classes (i.e., if
-those plugins are not deployed to the container), it just does not
-support sending VOMS or SAML attributes to the Python script but
-does not consider this an error.
-
-The GridShib project also releases software under an Apache v2 license.
View
145 plugins/authz/python/lib/jython.LICENSE
@@ -1,145 +0,0 @@
-
-
-HISTORY OF THE SOFTWARE
-=======================
-
-JPython was created in late 1997 by Jim Hugunin. Jim was also the
-primary developer while he was at CNRI. In February 1999 Barry Warsaw
-took over as primary developer and released JPython version 1.1.
-In October 2000 Barry helped move the software to SourceForge
-where it was renamed to Jython. Jython is developed by a group
-of volunteers.
-
-
-The standard library is covered by the BeOpen / CNRI license. See the
-Lib/LICENSE file for details.
-
-The oro regular expresion matcher is covered by the apache license.
-See the org/apache/LICENSE file for details.
-
-The zxJDBC package was written by Brian Zimmer and originally licensed
-under the GNU Public License. The package is now covered by the Jython
-Software License.
-
-Jython changes Software License.
-================================
-
-Copyright (c) 2000, Jython Developers
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
- - Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- - Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in
- the documentation and/or other materials provided with the distribution.
-
- - Neither the name of the Jython Developers nor the names of
- its contributors may be used to endorse or promote products
- derived from this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
-CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
-EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
-PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
-OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-
-
-
-JPython Software License.
-=========================
-
-______________________________________________________________________
-
-IMPORTANT: PLEASE READ THE FOLLOWING AGREEMENT CAREFULLY.
-
-BY CLICKING ON THE "ACCEPT" BUTTON WHERE INDICATED, OR BY INSTALLING,
-COPYING OR OTHERWISE USING THE SOFTWARE, YOU ARE DEEMED TO HAVE AGREED TO
-THE TERMS AND CONDITIONS OF THIS AGREEMENT.
-
-______________________________________________________________________
-
-JPython version 1.1.x
-
- 1. This LICENSE AGREEMENT is between the Corporation for National Research
- Initiatives, having an office at 1895 Preston White Drive, Reston, VA
- 20191 ("CNRI"), and the Individual or Organization ("Licensee")
- accessing and using JPython version 1.1.x in source or binary form and
- its associated documentation as provided herein ("Software").
-
- 2. Subject to the terms and conditions of this License Agreement, CNRI
- hereby grants Licensee a non-exclusive, non-transferable, royalty-free,
- world-wide license to reproduce, analyze, test, perform and/or display
- publicly, prepare derivative works, distribute, and otherwise use the
- Software alone or in any derivative version, provided, however, that
- CNRI's License Agreement and CNRI's notice of copyright, i.e.,
- "Copyright ?1996-1999 Corporation for National Research Initiatives;
- All Rights Reserved" are both retained in the Software, alone or in any
- derivative version prepared by Licensee.
-
- Alternatively, in lieu of CNRI's License Agreement, Licensee may
- substitute the following text (omitting the quotes), provided, however,
- that such text is displayed prominently in the Software alone or in any
- derivative version prepared by Licensee: "JPython (Version 1.1.x) is
- made available subject to the terms and conditions in CNRI's License
- Agreement. This Agreement may be located on the Internet using the
- following unique, persistent identifier (known as a handle):
- 1895.22/1006. The License may also be obtained from a proxy server on
- the Web using the following URL: http://hdl.handle.net/1895.22/1006."
-
- 3. In the event Licensee prepares a derivative work that is based on or
- incorporates the Software or any part thereof, and wants to make the
- derivative work available to the public as provided herein, then
- Licensee hereby agrees to indicate in any such work, in a prominently
- visible way, the nature of the modifications made to CNRI's Software.
-
- 4. Licensee may not use CNRI trademarks or trade name, including JPython
- or CNRI, in a trademark sense to endorse or promote products or
- services of Licensee, or any third party. Licensee may use the mark
- JPython in connection with Licensee's derivative versions that are
- based on or incorporate the Software, but only in the form
- "JPython-based ___________________," or equivalent.
-
- 5. CNRI is making the Software available to Licensee on an "AS IS" basis.
- CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY
- OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND DISCLAIMS ANY
- REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY
- PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE
- ANY THIRD PARTY RIGHTS.
-
- 6. CNRI SHALL NOT BE LIABLE TO LICENSEE OR OTHER USERS OF THE SOFTWARE FOR
- ANY INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF
- USING, MODIFYING OR DISTRIBUTING THE SOFTWARE, OR ANY DERIVATIVE
- THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. SOME STATES DO NOT
- ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY SO THE ABOVE DISCLAIMER
- MAY NOT APPLY TO LICENSEE.
-
- 7. This License Agreement may be terminated by CNRI (i) immediately upon
- written notice from CNRI of any material breach by the Licensee, if the
- nature of the breach is such that it cannot be promptly remedied; or
- (ii) sixty (60) days following notice from CNRI to Licensee of a
- material remediable breach, if Licensee has not remedied such breach
- within that sixty-day period.
-
- 8. This License Agreement shall be governed by and interpreted in all
- respects by the law of the State of Virginia, excluding conflict of law
- provisions. Nothing in this Agreement shall be deemed to create any
- relationship of agency, partnership, or joint venture between CNRI and
- Licensee.
-
- 9. By clicking on the "ACCEPT" button where indicated, or by installing,
- copying or otherwise using the Software, Licensee agrees to be bound by
- the terms and conditions of this License Agreement.
-
-
View
BIN plugins/authz/python/lib/jython.jar
Binary file not shown.
View
11 plugins/authz/python/lib/notes.txt
@@ -1,11 +0,0 @@
-This was developed from the jython.jar obtained from this installer:
-
- jython_Release_2_2alpha1.jar
-
-We only use standard Jython functionality, so it is probable that older
-versions will just work.
-
-Jython home page: http://www.jython.org
-
-
-
View
72 plugins/authz/python/src/org/globus/jython/Jython.java
@@ -1,72 +0,0 @@
-/*
- * Copyright 1999-2006 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.jython;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.python.core.PyString;
-import org.python.util.PythonInterpreter;
-
-import java.util.Properties;
-
-/**
- * NOTE: this maintains ONE interpreter and therefore should not be used
- * simultaneously by more than one service at this time (environment will
- * be polluted unless this is coordinated).
- *
- * See the WorkspacePythonAuthorization class for a working usage (depending
- * on the intended usage, you should synchronize access to the interpreter).
- */
-public class Jython {
-
- static Log logger =
- LogFactory.getLog(Jython.class.getName());
-
- private static PythonInterpreter interpreter;
-
- private static boolean limitEnvironment = true;
-
- public static void initialize() {
- initialize(limitEnvironment);
- }
-
- public static void initialize(boolean limitEnvironment) {
- if (interpreter != null) {
- return;
- }
- if (limitEnvironment) {
- PythonInterpreter.initialize(new Properties(),
- new Properties(),
- null);
- } else {
- // here would be code to get system properties (-D)
- // and to set python home etc.
- }
- interpreter = new PythonInterpreter();
- interpreter.set("hello", new PyString("hello from python"));
- logger.debug(interpreter.get("hello"));
- }
-
- public static PythonInterpreter getInterpreter() {
- if (interpreter == null) {
- logger.error("interpreter was null?");
- initialize();
- }
- return interpreter;
- }
-
-}
View
25 plugins/authz/python/src/org/globus/jython/JythonLoader.java
@@ -1,25 +0,0 @@
-/*
- * Copyright 1999-2006 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.jython;
-
-public class JythonLoader {
-
- public static void loadJython() throws ClassNotFoundException {
- Class jython = Class.forName("org.python.util.PythonInterpreter");
- Jython.initialize();
- }
-}
View
40 plugins/authz/python/src/org/globus/jython/log.java
@@ -1,40 +0,0 @@
-/*
- * Copyright 1999-2006 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.jython;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-/**
- * Class to enable easy admin log4j configs for callout derived log strings
- */
-public class log {
-
- private static Log logger = LogFactory.getLog(log.class.getName());
-
- public static void stdout(String stdout) {
- if (stdout != null) {
- logger.info(stdout);
- }
- }
-
- public static void stderr(String stderr) {
- if (stderr != null) {
- logger.debug(stderr);
- }
- }
-}
View
132 plugins/authz/python/src/org/globus/workspace/interceptors/jython/PythonAuthorization.java
@@ -1,132 +0,0 @@
-/*
- * Copyright 1999-2006 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.workspace.interceptors.jython;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.globus.jython.JythonLoader;
-import org.nimbustools.api.services.rm.ResourceRequestDeniedException;
-import org.nimbustools.api.services.rm.AuthorizationException;
-import org.globus.workspace.service.binding.authorization.CreationAuthorizationCallout;
-import org.globus.workspace.service.binding.authorization.Restrictions;
-import org.globus.workspace.service.binding.vm.VirtualMachine;
-import org.globus.workspace.persistence.DataConvert;
-
-import javax.security.auth.Subject;
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileReader;
-
-public class PythonAuthorization implements CreationAuthorizationCallout {
-
- public boolean isEnabled() {
- return true;
- }
-
- private static Log logger =
- LogFactory.getLog(PythonAuthorization.class.getName());
-
- private final DataConvert dataConvert;
-
- public PythonAuthorization(DataConvert dataConvert) {
- if (dataConvert == null) {
- throw new IllegalArgumentException("dataConvert may not be null");
- }
- this.dataConvert = dataConvert;
- }
-
- private String scriptLocation;
-
- public void setScriptLocation(String scriptLocation) {
- this.scriptLocation = scriptLocation;
- }
-
- public void initializeCallout() throws Exception {
-
- if (this.scriptLocation == null) {
- throw new Exception("scriptLocation parameter missing");
- }
-
- this.scriptLocation = this.scriptLocation.trim();
-
- final File script = new File(this.scriptLocation);
-
- if (!script.isAbsolute()) {
- throw new Exception("Cannot handle relative paths " +
- "for authz script '" + this.scriptLocation + "'");
- }
-
- if (!script.canRead()) {
- throw new Exception("File cannot be read: "
- + this.scriptLocation);
- }
-
- // TODO: should make sure file is not world writeable
-
- try {
- JythonLoader.loadJython();
- } catch (ClassNotFoundException e) {
- throw new Exception("problem loading Jython," +
- " jython.jar is probably not in the classpath", e);
- }
-
- // for pre-compiling, otherwise it would have been
- // interp.execfile(new FileInputStream(codefile))
-
- BufferedReader in = null;
- String code = null;
- try {
- in = new BufferedReader(new FileReader(script));
-
- final StringBuffer buf = new StringBuffer();
- String line = in.readLine();
- while (line != null) {
- buf.append(line);
- buf.append("\n");
- line = in.readLine();
- }
- code = buf.toString();
- } finally {
- if (in != null) {
- try { in.close(); } catch (Exception e) {logger.error("",e);} }
- }
-
- if (code != null) {
- WorkspacePythonAuthorization.setScript(code);
- } else {
- throw new Exception("no code");
- }
- }
-
- // ResourceRequestDeniedException is for Deny + message for client
- public Integer isPermitted(VirtualMachine[] bindings,
- String callerDN,
- Subject subject,
- Long elapsedMins,
- Long reservedMins,
- int numWorkspaces)
-
- throws AuthorizationException,
- ResourceRequestDeniedException {
-
- final Restrictions restr = new Restrictions(); // unused currently
- return WorkspacePythonAuthorization.isPermitted(
- bindings, subject, callerDN, restr,
- elapsedMins, reservedMins, numWorkspaces,
- this.dataConvert);
- }
-}
View
83 plugins/authz/python/src/org/globus/workspace/interceptors/jython/Shib.java
@@ -1,83 +0,0 @@
-/*
- * Copyright 1999-2006 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.workspace.interceptors.jython;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.globus.wsrf.impl.security.authorization.attributes.SAMLAttribute;
-import org.globus.wsrf.impl.security.authorization.attributes.SAMLAttributeInformation;
-import org.python.util.PythonInterpreter;
-
-import java.util.Iterator;
-import java.util.Set;
-import java.util.Vector;
-
-public class Shib {
-
- private static Log logger = LogFactory.getLog(Shib.class.getName());
-
- /**
- * best to call this from VomsUtil which does class check
- * @param credSet
- * @param interp
- */
- public static void handleShib(Set credSet, PythonInterpreter interp) {
-
- Iterator creds = credSet.iterator();
- while (creds.hasNext()) {
- Object o = creds.next();
- if (o instanceof SAMLAttributeInformation) {
- handle((SAMLAttributeInformation)o, interp);
- break;
- }
- }
- }
-
- private static void handle(SAMLAttributeInformation samlinfo,
- PythonInterpreter interp) {
- logger.debug("adding SAML attributes");
-
- Vector attrVec = samlinfo.getAttrs();
- if (attrVec.isEmpty()) {
- logger.debug("SAML attribute information present, but empty");
- } else {
- logger.debug("found " + attrVec.size() + " attribute(s)");
- interp.exec(WorkspacePythonAuthorization.NEW_SHIB);
-
- Iterator iter = attrVec.iterator();
- while (iter.hasNext()) {
- interp.exec(WorkspacePythonAuthorization.NEW_SAMLATTR);
- SAMLAttribute attr = (SAMLAttribute)iter.next();
-
- WorkspacePythonAuthorization.setString(
- "attr.name", attr.getName(), interp);
- WorkspacePythonAuthorization.setString(
- "attr.namespace", attr.getNamespace(), interp);
-
- String[] values = attr.getValue();
- for (int i = 0; i < values.length; i++) {
- interp.exec(
- "attr.values.append('" + values[i] + "')");
- }
-
- interp.exec("shib.attributes.append(attr)");
- }
- }
-
- }
-
-}
View
31 plugins/authz/python/src/org/globus/workspace/interceptors/jython/ShibUtil.java
@@ -1,31 +0,0 @@
-/*
- * Copyright 1999-2006 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.workspace.interceptors.jython;
-
-import org.python.util.PythonInterpreter;
-
-import java.util.Set;
-
-public class ShibUtil {
-
- public static void shib(Set credSet, PythonInterpreter interp)
- throws ClassNotFoundException {
- Class shib =
- Class.forName("org.globus.wsrf.impl.security.authorization.attributes.SAMLAttributeInformation");
- Shib.handleShib(credSet, interp);
- }
-}
View
85 plugins/authz/python/src/org/globus/workspace/interceptors/jython/Voms.java
@@ -1,85 +0,0 @@
-/*
- * Copyright 1999-2006 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.workspace.interceptors.jython;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.globus.voms.VomsCredentialInformation;
-import org.python.util.PythonInterpreter;
-
-import java.util.Iterator;
-import java.util.Set;
-import java.util.Vector;
-
-public class Voms {
-
- private static Log logger = LogFactory.getLog(Voms.class.getName());
-
- /**
- * best to call this from VomsUtil which does class check
- * @param credSet
- * @param interp
- */
- public static void handleVoms(Set credSet, PythonInterpreter interp) {
-
- Iterator creds = credSet.iterator();
- while (creds.hasNext()) {
- Object o = creds.next();
- if (o instanceof VomsCredentialInformation) {
- handle((VomsCredentialInformation)o, interp);
- break;
- }
- }
- }
-
- private static void handle(VomsCredentialInformation vomsinfo,
- PythonInterpreter interp) {
- logger.debug("adding VOMS attributes");
-
- Vector attrVec = vomsinfo.getAttrs();
-
- //note: if there are no roles (e.g., when a regular proxy is used),
- // the vector object will be present, but have size 0
- if (attrVec == null) {
- logger.error("cannot retrieve roles from credential" +
- "information");
- return;
- }
-
-
- if (attrVec.isEmpty()) {
- logger.debug("VOMS attribute information present, but empty");
- } else {
- logger.debug("found " + attrVec.size() + " attribute(s)");
- interp.exec(WorkspacePythonAuthorization.NEW_VOMS);
-
- Iterator iter = attrVec.iterator();
- while (iter.hasNext()) {
- String fqan = (String) iter.next();
- if (fqan != null) {
- interp.exec(
- "voms.attributes.append('" + fqan + "')");
- }
- }
- }
- WorkspacePythonAuthorization.setString(
- "voms.VO", vomsinfo.getVO(), interp);
- WorkspacePythonAuthorization.setString(
- "voms.hostport", vomsinfo.getHostport(), interp);
-
- }
-}
View
31 plugins/authz/python/src/org/globus/workspace/interceptors/jython/VomsUtil.java
@@ -1,31 +0,0 @@
-/*
- * Copyright 1999-2006 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.workspace.interceptors.jython;
-
-import org.python.util.PythonInterpreter;
-
-import java.util.Set;
-
-public class VomsUtil {
-
- public static void voms(Set credSet, PythonInterpreter interp)
- throws ClassNotFoundException {
- Class voms =
- Class.forName("org.globus.voms.VomsCredentialInformation");
- Voms.handleVoms(credSet, interp);
- }
-}
View
429 ...thz/python/src/org/globus/workspace/interceptors/jython/WorkspacePythonAuthorization.java
@@ -1,429 +0,0 @@
-/*
- * Copyright 1999-2006 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.workspace.interceptors.jython;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.globus.jython.Jython;
-import org.globus.jython.log;
-import org.nimbustools.api.repr.vm.NIC;
-import org.nimbustools.api.repr.CannotTranslateException;
-import org.nimbustools.api.services.rm.AuthorizationException;
-import org.globus.workspace.service.binding.authorization.Decision;
-import org.globus.workspace.service.binding.authorization.Restrictions;
-import org.globus.workspace.service.binding.vm.VirtualMachine;
-import org.globus.workspace.service.binding.vm.VirtualMachineDeployment;
-import org.globus.workspace.service.binding.vm.VirtualMachinePartition;
-import org.globus.workspace.persistence.DataConvert;
-import org.python.core.Py;
-import org.python.core.PyCode;
-import org.python.core.PyException;
-import org.python.core.PyInteger;
-import org.python.core.PyObject;
-import org.python.core.__builtin__;
-import org.python.util.PythonInterpreter;
-
-import javax.security.auth.Subject;
-import java.io.StringWriter;
-import java.util.Set;
-
-public class WorkspacePythonAuthorization implements Decision {
-
- private static Log logger =
- LogFactory.getLog(PythonAuthorization.class.getName());
-
- private static PyCode code;
-
- // static, can only be set once, use this opportunity to initialize
- // our special return variables
- protected static void setScript(String script) {
-
- PythonInterpreter interp = Jython.getInterpreter();
- interp.exec(INIT_CODE);
- interp.exec("decision = INDETERMINATE");
- interp.exec("DN = None");
- interp.exec("voms = None");
- interp.exec("shib = None");
- interp.set("restrictions", Py.java2py(new Restrictions()));
-
- // todo: learn how to extend java2py for complex objects
-
- if (logger.isDebugEnabled()) {
- logger.debug("environment:");
- interp.exec("import sys");
- interp.exec("print 'sys.prefix=', sys.prefix");
- interp.exec("print 'sys.argv=', sys.argv");
- interp.exec("print 'sys.path=', sys.path");
- interp.exec("print 'sys.cachedir=', sys.cachedir");
- interp.exec("counter = 0");
- interp.exec("print 'counter=', counter");
- interp.exec("print 'decision=', decision");
- interp.exec("print 'restrictions=', restrictions");
- interp.exec("print");
- }
-
- // precompile the configured authz code
- code = __builtin__.compile(script, "<>", "exec");
- }
-
- /**
- * Entry
- *
- * @param vms the request
- * @param subject caller
- * @param callerID caller simple string ID
- * @param restr restrictions object
- * @param elapsedMins
- * @param reservedMins
- * @param numWorkspaces
- * @param dataConvert
- * @return Decision integer
- * @throws AuthorizationException error, not decision
- */
- public static Integer isPermitted(VirtualMachine[] vms,
- Subject subject,
- String callerID,
- Restrictions restr,
- Long elapsedMins,
- Long reservedMins,
- int numWorkspaces,
- DataConvert dataConvert)
- throws AuthorizationException {
-
- if (code == null) {
- throw new AuthorizationException("no code for authz");
- }
-
- if (vms == null) {
- throw new AuthorizationException("null vms");
- }
-
- if (dataConvert == null) {
- throw new AuthorizationException("dataConvert may not be null");
- }
-
-
- // haven't made script interface group-aware yet...
-
- // prioritize permit over indeterminate, unless there is a deny which
- // short circuits
- Integer ret = Decision.INDETERMINATE;
- for (int i = 0; i < vms.length; i++) {
- Integer decision = handle(vms[i], subject, callerID, restr, dataConvert);
- if (decision.equals(Decision.DENY)) {
- ret = Decision.DENY;
- break;
- }
- if (decision.equals(Decision.PERMIT)) {
- ret = Decision.PERMIT;
- }
- }
- return ret;
- }
-
-
- // it is important this is synchronized, we define the interface
- // to the python authorization callout such that it always receives
- // a fresh set of the global variables and can run to completion
- // before being invoked again
- private static synchronized Integer handle(VirtualMachine vm,
- Subject subject,
- String callerID,
- Restrictions restr,
- DataConvert dataConvert)
- throws AuthorizationException {
-
- PythonInterpreter interp = Jython.getInterpreter();
- StringWriter stderrWr = new StringWriter();
- StringWriter stdoutWr = new StringWriter();
- interp.setErr(stderrWr);
- interp.setOut(stdoutWr);
-
- // set subject credentials including attributes
- setSubject(subject, callerID, interp);
-
- setVM(vm, interp, dataConvert);
-
- Integer decision = run(interp, restr);
-
- stdoutWr.flush();
- stderrWr.flush();
- String stdout = stdoutWr.toString();
- String stderr = stderrWr.toString();
-
- try { stdoutWr.close(); } catch (Exception e) {logger.error("",e);}
- try { stderrWr.close(); } catch (Exception e) {logger.error("",e);}
-
- log.stdout(stdout);
- log.stderr(stderr);
-
- return decision;
- }
-
- private static Integer run(PythonInterpreter interp,
- Restrictions restr) {
- logger.debug("run()");
-
- interp.exec("decision = INDETERMINATE");
-
- try {
- interp.exec(code);
- } catch (PyException e) {
- logger.error("authorization callout threw Python exception", e);
- return DENY;
- }
-
- Integer result;
-
- try {
- PyInteger ret = (PyInteger) interp.get("decision");
- result = new Integer(ret.getValue());
- } catch (ClassCastException e) {
- logger.error("'decision' in authorization callout was set" +
- " incorrectly, defaulting to DENY");
- result = DENY;
- } catch (Exception e) {
- logger.error("problem retrievng 'decision' from " +
- "authorization callout, defaulting to DENY");
- result = DENY;
- }
-
- if (result == null) {
- return DENY; // Still a script interface error
- } else if (result.equals(DENY)) {
- return DENY; // no need to process restrictions
- }
-
- try {
- PyObject ret = interp.get("restrictions");
- Restrictions restr2 =
- (Restrictions)ret.__tojava__(Restrictions.class);
- restr.setMaxDuration(restr2.getMaxDuration());
- restr.setMaxMem(restr2.getMaxMem());
- } catch (ClassCastException e) {
- // alternatively we could have tested for
- // Object == Py.NoConversion
- logger.error("'Restrictions' in authorization callout was set" +
- " incorrectly, defaulting to DENY");
- result = DENY;
- } catch (Exception e) {
- logger.error("problem retrievng 'Restrictions' from " +
- "authorization callout, defaulting to DENY");
- result = DENY;
- }
-
- return result;
-
- }
-
- private static void setSubject(Subject subject,
- String callerID,
- PythonInterpreter interp) {
-
- logger.debug("setSubject()");
-
- setString("DN",callerID,interp);
-
- // see if there is any extra information attached to the Subject
- if (subject != null) {
- Set credSet = subject.getPublicCredentials();
- try {
- VomsUtil.voms(credSet, interp);
- } catch (ClassNotFoundException e) {
- logger.debug("VOMS PIP is not installed");
- }
- try {
- ShibUtil.shib(credSet, interp);
- } catch (ClassNotFoundException e) {
- logger.debug("GridShib PIP is not installed");
- }
- } else {
- logger.warn("No peer credentials found");
- }
- }
-
- private static void setVM(VirtualMachine vm,
- PythonInterpreter interp,
- DataConvert dataConvert)
- throws AuthorizationException {
- logger.debug("setVM()");
-
- interp.exec(NEW_REQUEST);
-
- VirtualMachineDeployment vmdep = vm.getDeployment();
- if (vmdep != null) {
-
- interp.exec("req.memory = " +
- vmdep.getIndividualPhysicalMemory());
-
- interp.exec("req.duration_secs = " +
- vmdep.getMinDuration());
- }
-
- if (vm.getPartitions() != null) {
-
- final VirtualMachinePartition[] partitions = vm.getPartitions();
-
- // convention is that rootdisk will be first in images []
- int found = 0;
- for (int i = 0; i < partitions.length; i++) {
- if (partitions[i].isRootdisk()) {
- found += 1;
- interp.exec("req.images.append('" +
- partitions[i].getImage() + "')");
- }
- }
-
- if (found == 0) {
- throw new AuthorizationException(
- "no root disk found");
- } else if (found > 1) {
- throw new AuthorizationException(
- "more than one root disk found");
- }
-
- for (int i = 0; i < partitions.length; i++) {
- if (!partitions[i].isRootdisk()) {
-
- interp.exec("req.images.append('" +
- partitions[i].getImage() + "')");
- }
- }
- }
-
- setString("req.kernel", vm.getKernel(), interp);
- setString("req.kernelParams", vm.getKernelParameters(), interp);
-
- final String netString = vm.getNetwork();
- if (netString != null) {
- // todo: move to sane network situation
- final NIC[] nics;
- try {
- nics = dataConvert.getNICs(vm);
- } catch (CannotTranslateException e) {
- throw new AuthorizationException(e.getMessage(), e);
- }
- if (nics != null) {
- handleNetworking(nics, interp);
- }
- }
-
- }
-
- private static void handleNetworking(NIC[] nics,
- PythonInterpreter interp) {
- logger.debug("handleNetworking()");
-
- if (nics == null) {
- return;
- }
-
- for (int i = 0; i < nics.length; i++) {
- interp.exec(NEW_NIC);
-
- setString("anic.ip", nics[i].getIpAddress(), interp);
-
- setString("anic.name", nics[i].getName(), interp);
-
- setString("anic.association", nics[i].getNetworkName(), interp);
-
- setString("anic.hostname",
- nics[i].getHostname(),
- interp);
-
- setString("anic.gateway",
- nics[i].getGateway(),
- interp);
-
- setString("anic.method",
- nics[i].getAcquisitionMethod(),
- interp);
-
- interp.exec("req.nics.append(anic)");
- }
-
- }
-
- // PyString does not handle nulls for you, nor does it work
- // with setting object.attributes apparently.
-
- // This assumes the variable is initialized as None already
- // and does not need to set that if given String is null
- protected static void setString(String pyname,
- String str,
- PythonInterpreter interp) {
- if (str != null) {
- interp.exec(pyname + " = '" + str + "'");
- }
- }
-
- /**
- * CODE
- */
-
- // advantage in creating Java objects and using java2py?
- // Although, these are input only data structures and simple
- // enough to deal with this way.
-
- protected static final String NEW_REQUEST = "req = REQ()";
- protected static final String NEW_VOMS = "voms = VOMS()";
- protected static final String NEW_SHIB = "shib = SHIB()";
- protected static final String NEW_SAMLATTR = "attr = SAMLATTR()";
- protected static final String NEW_NIC = "anic = NIC()";
-
- // non-stateful code to init environment
- private static final String INIT_CODE =
- "INDETERMINATE = 0 \n" +
- "DENY = 1 \n" +
- "PERMIT = 2 \n" +
- " \n" +
- "class VOMS: \n" +
- " def __init__(self): \n" +
- " self.VO = None \n" +
- " self.hostport = None \n" +
- " self.attributes = [] \n" +
- " \n" +
- "class SAMLATTR: \n" +
- " def __init__(self): \n" +
- " self.name = None \n" +
- " self.namespace = None \n" +
- " self.values = [] \n" +
- " \n" +
- "class SHIB: \n" +
- " def __init__(self): \n" +
- " self.attributes = [] \n" +
- " \n" +
- "class NIC: \n" +
- " def __init__(self): \n" +
- " self.ip = None \n" +
- " self.name = None \n" +
- " self.association = None \n" +
- " self.hostname = None \n" +
- " self.gateway = None \n" +
- " self.method = None \n" +
- " \n" +
- "class REQ: \n" +
- " def __init__(self): \n" +
- " self.memory = -1 \n" +
- " self.nics = [] \n" +
- " self.duration_secs = -1 \n" +
- " # root image is index 0: \n" +
- " self.images = [] \n" +
- " self.kernel = None \n" +
- " self.kernelParams = None \n" +
- " \n";
-}
View
77 plugins/authz/voms/bootstrap/org/globus/MajorMinorVersion.java
@@ -1,77 +0,0 @@
-/*
- * Copyright 1999-2007 University of Chicago
- *
- * Licensed under the Apache License, MajorMinorVersion 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus;
-
-import java.lang.reflect.Method;
-import java.lang.reflect.InvocationTargetException;
-
-public class MajorMinorVersion {
-
- /**
- * Finds GT Java core major.minor. Any WSRF install without the
- * org.globus.wsrf.utils.Version class is considered to be 4.0
- *
- * @return major.minor version string
- */
- public static String getMajorMinor() throws Exception {
- Object[] args = new String[0];
- try {
- Class Version = Class.forName("org.globus.wsrf.utils.Version");
- Method[] methods = Version.getMethods();
- Object major = null;
- Object minor = null;
- try {
- for (int i = 0; i < methods.length; i++) {
- if (methods[i].getName().equals("getMajor")) {
- major = methods[i].invoke(null, args);
- }
- if (methods[i].getName().equals("getMinor")) {
- minor = methods[i].invoke(null, args);
- }
- }
- } catch (IllegalAccessException e) {
- throw e;
- } catch (InvocationTargetException e) {
- throw e;
- }
-
- if ((major == null) || (minor == null)) {
- throw new Exception("some reflection problem? " +
- "major or minor null");
- }
-
- return major + "." + minor;
-
- } catch (ClassNotFoundException e) {
- return "4.0";
- }
- }
-
- /**
- * Outputs major.minor to stdout. Any WSRF install without the
- * org.globus.wsrf.utils.Version class is considered to be 4.0
- * @param args
- */
- public static void main(String[] args) {
- try {
- System.out.println(getMajorMinor());
- } catch (Exception e) {
- e.printStackTrace();
- System.exit(-1);
- }
- }
-}
View
288 plugins/authz/voms/build.xml
@@ -1,288 +0,0 @@
-<?xml version="1.0"?>
-
-<project default="deploy" basedir=".">
-
- <!-- Build file for VOMS interceptors, differentiates between
- GT4.0 and GT4.1+ target GLOBUS_LOCATION
- -->
-
- <!-- ==== General properties: =================================== -->
-
- <property name="package.name" value="globus-voms-0_2"/>
-
- <property name="java.debug" value="on"/>
-
- <property environment="env"/>
- <property name="deploy.dir" location="${env.GLOBUS_LOCATION}"/>
- <property name="abs.deploy.dir" location="${deploy.dir}"/>
-
- <property name="bootstrap.dir" value="bootstrap"/>
- <property name="lib.dir" location="lib"/>
- <fileset dir="etc" id="garEtc"/>
- <property name="garetc.id" value="garEtc"/>
-
- <!-- ==== Directories created on build: ========================= -->
-
- <property name="build.dir" location="build"/>
- <property name="build.dest" location="build/classes"/>
- <property name="build.dest-oldapi" location="build/classes-old"/>
- <property name="build.dest-newapi" location="build/classes-new"/>
- <property name="build.lib.basedir" location="build/lib"/>
- <property name="bootstrap.build" location="bootstrap/build"/>
-
- <!-- ==== Source of the base implementation: ==================== -->
-
- <property name="src.dir" value="src"/>
-
- <!-- ==== Only one of these source dirs will be used: =========== -->
-
- <property name="src.dir.gt4.0" value="src-proxies/4.0"/>
- <property name="src.dir.gt4.1+" value="src-proxies/4.1+"/>
-
- <!-- ==== Used to generate GT specific jar names ===== -->
-
- <property name="oldapi.name" value="${package.name}-gt4.0" />
- <property name="newapi.name" value="${package.name}-gt4.1+" />
-
- <!-- ==== This jar has the base implementation: ================= -->
- <property name="jar.name" value="${package.name}.jar"/>
-
- <!-- ==== GAR: ================= -->
- <property name="gar.name" value="${package.name}.gar"/>
- <property name="deployment.name" value="${package.name}"/>
-
- <!-- ==== Refer to standard build files for deployment: ========= -->
- <property name="build.packages" location=
- "${abs.deploy.dir}/share/globus_wsrf_common/build-packages.xml"/>
-
- <!-- ==== Java WSRF core lib dir changed in 4.1+: ================ -->
-
- <path id="classpath4.0">
- <fileset dir="${abs.deploy.dir}/lib">
- <include name="*.jar"/>
- </fileset>
- <fileset dir="${lib.dir}">
- <include name="*.jar"/>
- </fileset>
- </path>
-
- <path id="classpath4.1+">
- <fileset dir="${abs.deploy.dir}/lib/common">
- <include name="*.jar"/>
- </fileset>
- <fileset dir="${lib.dir}">
- <include name="*.jar"/>
- </fileset>
- </path>
-
- <!-- ==== Bootstrap with GT version ============================= -->
-
- <target name="determine-GT-version">
- <mkdir dir="${bootstrap.build}"/>
- <javac srcdir="${bootstrap.dir}"
- destdir="${bootstrap.build}"
- debug="on" />
- <java classname="org.globus.MajorMinorVersion"
- outputproperty="gtversion">
-
- <classpath>
- <pathelement location="${bootstrap.build}" />
- <fileset dir="${abs.deploy.dir}/lib">
- <include name="**/*.jar"/>
- </fileset>
- </classpath>
- </java>
- </target>
-
- <!-- any GT version not equal to "4.0" is considered new-api -->
- <target name="substitutions" depends="determine-GT-version">
- <condition property="is-new-api">
- <not>
- <!-- gtversion is the outputproperty from running the
- bootstrap java prog in the find-version target -->
- <equals arg1="${gtversion}" arg2="4.0" />
- </not>
- </condition>
-
- <antcall target="print-version" />
-
-
- <!-- The else property of <condition> would be very useful here,
- but it is only available after ant 1.6.3 -->
-
- <!-- extra jar -->
-
- <condition property="jar2.name" value="${oldapi.name}.jar">
- <not>
- <isset property="is-new-api" />
- </not>
- </condition>
- <condition property="jar2.name" value="${newapi.name}.jar">
- <isset property="is-new-api" />
- </condition>
-
-
- <!-- classpath -->
-
- <condition property="classpath" value="classpath4.0">
- <not>
- <isset property="is-new-api" />
- </not>
- </condition>
- <condition property="classpath" value="classpath4.1+">
- <isset property="is-new-api" />
- </condition>
-
-
- <!-- extra source directory -->
-
- <condition property="src2.dir" value="${src.dir.gt4.0}">
- <not>
- <isset property="is-new-api" />
- </not>
- </condition>
- <condition property="src2.dir" value="${src.dir.gt4.1+}">
- <isset property="is-new-api" />
- </condition>
-
-
- <!-- Main jar location -->
-
- <condition property="build.lib.dir" value="${build.lib.basedir}">
- <not>
- <isset property="is-new-api" />
- </not>
- </condition>
- <!-- authorization jars need to go to $GL/lib/common for 4.1+ -->
- <condition property="build.lib.dir" value="${build.lib.basedir}/common">
- <isset property="is-new-api" />
- </condition>
-
-
- <!-- extra build directory -->
-
- <condition property="builddest2" value="${build.dest-oldapi}">
- <not>
- <isset property="is-new-api" />
- </not>
- </condition>
- <condition property="builddest2" value="${build.dest-newapi}">
- <isset property="is-new-api" />
- </condition>
-
- <!--
- Instead of property substitution, one could have different
- targets and use the if/unless properties of <target/>, but that
- is messier looking. This way also makes it easier to add
- arbitrary substituion logic in the future.
-
- (gar.name and etc dir need property substitution though)
- -->
-
- </target>
-
- <target name="print-old" unless="is-new-api">
- <echo message="Determined you have an old API installation (${gtversion}) at your GLOBUS_LOCATION (${env.GLOBUS_LOCATION})."/>
- </target>
-
- <target name="print-new" if="is-new-api">
- <echo message="Determined you have a new API installation (${gtversion}) at your GLOBUS_LOCATION (${env.GLOBUS_LOCATION})."/>
- </target>
-
- <target name="print-version" depends="print-old,print-new" />
-
- <!-- ==== init-compile-jar-gar etc. ============================= -->
-
- <target name="init" depends="substitutions">
- <mkdir dir="${lib.dir}"/>
- <mkdir dir="${build.dir}"/>
- <mkdir dir="${build.dest}"/>
- <mkdir dir="${build.lib.basedir}"/>
- <mkdir dir="${build.lib.dir}"/>
- <mkdir dir="${builddest2}"/>
-
- <fileset dir="${build.lib.basedir}" id="garjars"/>
- <property name="garjars.id" value="garjars"/>
- </target>
-
- <target name="compile" depends="init">
-
- <!-- core code -->
-
- <javac srcdir="${src.dir}"
- destdir="${build.dest}"
- source="1.4"
- debug="on"
- classpathref="${classpath}" >
- <include name="**/*.java"/>
- <classpath>
- <path refid="${classpath}"/>
- </classpath>
- </javac>
-
- <copy todir="${build.lib.dir}">
- <fileset dir="${lib.dir}">
- <include name="*.jar"/>
- <include name="*LICENSE*"/>
- </fileset>
- </copy>
-
- <copy todir="${build.dest}" >
- <fileset dir="${src.dir}" includes="**/*.properties" />
- <fileset dir="${src.dir}" includes="**/*.xml" />
- </copy>
-
- <!-- GT version specific code -->
-
- <javac srcdir="${src2.dir}"
- destdir="${builddest2}"
- source="1.4"
- debug="on">
- <classpath>
- <path refid="${classpath}"/>
- <pathelement location="${build.dest}" />
- </classpath>
- <include name="**/*.java"/>
- </javac>
-
- <copy todir="${builddest2}" >
- <fileset dir="${src2.dir}" includes="**/*.properties" />
- <fileset dir="${src2.dir}" includes="**/*.xml" />
- </copy>
-
- </target>
-
- <target name="jar" depends="compile">
- <jar destfile="${build.lib.dir}/${jar.name}"
- basedir="${build.dest}"/>
- <jar destfile="${build.lib.dir}/${jar2.name}"
- basedir="${builddest2}"/>
- </target>
-
- <target name="dist" depends="jar">
- <ant antfile="${build.packages}" target="makeGar">
- <reference refid="${garjars.id}"/>
- <reference refid="${garetc.id}"/>
- </ant>
- </target>
-
- <target name="clean">
- <delete dir="tmp"/>
- <delete dir="${build.dir}"/>
- <delete dir="${bootstrap.build}"/>
- <delete file="${gar.name}"/>
- </target>
-
- <target name="deploy" depends="dist">
- <ant antfile="${build.packages}" target="deployGar">
- <property name="gar.id" value="${deployment.name}"/>
- </ant>
- </target>
-
- <target name="undeploy" depends="substitutions">
- <ant antfile="${build.packages}" target="undeployGar">
- <property name="gar.id" value="${deployment.name}"/>
- </ant>
- </target>
-
-</project>
View
1 plugins/authz/voms/etc/sample-attr-authz
@@ -1 +0,0 @@
-/TEST/workshop_with_a_long_or_more_or_less_huge_name/Role=NULL/Capability=NULL
View
BIN plugins/authz/voms/lib/glite-security-util-java.jar
Binary file not shown.
View
122 plugins/authz/voms/src-proxies/4.0/org/globus/voms/PDP.java
@@ -1,122 +0,0 @@
-/*
- * Copyright 1999-2007 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.voms;
-
-import org.globus.wsrf.impl.security.authorization.exceptions.InitializeException;
-import org.globus.wsrf.impl.security.authorization.exceptions.InvalidPolicyException;
-import org.globus.wsrf.impl.security.authorization.exceptions.AuthorizationException;
-import org.globus.wsrf.impl.security.authorization.exceptions.CloseException;
-import org.globus.wsrf.impl.security.util.AuthUtil;
-import org.globus.wsrf.impl.security.descriptor.SecurityPropertiesHelper;
-import org.globus.wsrf.security.authorization.PDPConfig;
-import org.globus.wsrf.config.ConfigException;
-import org.globus.voms.impl.PDPDecision;
-import org.globus.voms.impl.VomsConstants;
-import org.globus.voms.impl.VomsPDP;
-import org.globus.security.gridmap.GridMap;
-import org.w3c.dom.Node;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import javax.security.auth.Subject;
-import javax.xml.namespace.QName;
-import javax.xml.rpc.handler.MessageContext;
-import java.util.HashMap;
-
-/**
- * GT4.0.x compatible proxy to the VOMS authorization code.
- */
-public class PDP implements org.globus.wsrf.security.authorization.PDP {
-
- private static Log logger = LogFactory.getLog(PDP.class.getName());
-
- private VomsPDP impl = new VomsPDP();
-
- public void initialize(PDPConfig pdpConfig,
- String name,
- String id) throws InitializeException {
-
- HashMap configs = new HashMap();
- String[] keys = VomsConstants.ALL_CONFIG_KEYS;
- for (int i = 0; i < keys.length; i++) {
- Object o = pdpConfig.getProperty(name, keys[i]);
- if (o != null) {
- configs.put(keys[i], o);
- }
- }
-
- // programmatic, alternative use of the PDP could have resulted in
- // another default gridmap to use. This makes gridmap retrieval
- // unnecessary
- Object o = pdpConfig.getProperty(name, VomsConstants.DEFAULT_GRIDMAP);
- if (o == null) {
- // getGridMap method is 4.0.x specific
- try {
- GridMap gridmap = SecurityPropertiesHelper.
- getGridMap(id, null);
- if (gridmap != null) {
- configs.put(VomsConstants.DEFAULT_GRIDMAP, gridmap);
- } else {
- logger.warn("default gridmap is null");
- }
- } catch (ConfigException e) {
- throw new InitializeException("", e);
- }
- }
-
- try {
- this.impl.initialize(configs, name);
- } catch (Exception e) {
- throw new InitializeException("",e);
- }
- }
-
- public boolean isPermitted(Subject peer,
- MessageContext context,
- QName op) throws AuthorizationException {
-
- assert (this.impl != null);
-
- // AuthUtil.getIdentity() is 4.0 specific
- String peerIdentity = AuthUtil.getIdentity(peer);
- int dec;
- try {
- dec = this.impl.isPermitted(peer, peerIdentity, context, op);
- } catch (Exception e) {
- throw new AuthorizationException("", e);
- }
- return dec == PDPDecision.PERMIT;
- }
-
- public String[] getPolicyNames() {
- return null;
- }
-
- public Node getPolicy(Node node)
- throws InvalidPolicyException {
- return null;
- }
-
- public Node setPolicy(Node node)
- throws InvalidPolicyException {
- return null;
- }
-
- public void close() throws CloseException {
- }
-
-}
View
78 plugins/authz/voms/src-proxies/4.0/org/globus/voms/PIP.java
@@ -1,78 +0,0 @@
-/*
- * Copyright 1999-2007 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-
-package org.globus.voms;
-
-import org.globus.wsrf.security.authorization.PDPConfig;
-import org.globus.wsrf.impl.security.authorization.exceptions.InitializeException;
-import org.globus.wsrf.impl.security.authorization.exceptions.CloseException;
-import org.globus.wsrf.impl.security.authorization.exceptions.AttributeException;
-import org.globus.wsrf.impl.security.util.AuthUtil;
-import org.globus.voms.impl.VomsConstants;
-import org.globus.voms.impl.VomsCredentialPIP;
-
-import javax.security.auth.Subject;
-import javax.xml.rpc.handler.MessageContext;
-import javax.xml.namespace.QName;
-import java.util.HashMap;
-
-/**
- * GT4.0.x compatible proxy to the VOMS authorization code.
- */
-public class PIP implements org.globus.wsrf.security.authorization.PIP {
-
- private VomsCredentialPIP impl = new VomsCredentialPIP();
-
- public void initialize(PDPConfig config,
- String name,
- String id) throws InitializeException {
-
- HashMap configs = new HashMap();
- String[] keys = VomsConstants.ALL_CONFIG_KEYS;
- for (int i = 0; i < keys.length; i++) {
- Object o = config.getProperty(name, keys[i]);
- if (o != null) {
- configs.put(keys[i], o);
- }
- }
-
- try {
- this.impl.initialize(configs, name);
- } catch (Exception e) {
- throw new InitializeException("",e);
- }
- }
-
- public void collectAttributes(Subject peer,
- MessageContext ctx,
- QName op) throws AttributeException {
-
- assert (this.impl != null);
-
- // AuthUtil.getIdentity() is 4.0 specific
- String peerIdentity = AuthUtil.getIdentity(peer);
-
- try {
- this.impl.collectAttributes(peer, peerIdentity, ctx);
- } catch (Exception e) {
- throw new AttributeException(e.getMessage(),e);
- }
- }
-
- public void close() throws CloseException {
- }
-}
View
156 plugins/authz/voms/src-proxies/4.1+/org/globus/voms/PDP.java
@@ -1,156 +0,0 @@
-/*
- * Copyright 1999-2007 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.voms;
-
-import org.globus.wsrf.security.authorization.Decision;
-import org.globus.wsrf.security.authorization.RequestAttributes;
-import org.globus.wsrf.security.authorization.AuthorizationException;
-import org.globus.wsrf.security.authorization.ChainConfig;
-import org.globus.wsrf.security.authorization.InitializeException;
-import org.globus.wsrf.security.authorization.CloseException;
-import org.globus.wsrf.security.authorization.EntityAttributes;
-import org.globus.wsrf.security.authorization.Attribute;
-import org.globus.wsrf.security.SecureContainerConfig;
-import org.globus.wsrf.impl.security.util.AuthzUtil;
-import org.globus.wsrf.impl.security.util.AttributeUtil;
-import org.globus.wsrf.impl.security.util.CredentialUtil;
-import org.globus.wsrf.config.ConfigException;
-import org.globus.voms.impl.VomsPDP;
-import org.globus.voms.impl.VomsConstants;
-import org.globus.voms.impl.PDPDecision;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
-import javax.xml.rpc.handler.MessageContext;
-import javax.xml.namespace.QName;
-import javax.security.auth.Subject;
-import java.util.List;
-import java.util.HashMap;
-import java.util.Iterator;
-
-public class PDP implements org.globus.wsrf.security.authorization.PDP {
-
- private static Log logger = LogFactory.getLog(PDP.class.getName());
-
- private VomsPDP impl = new VomsPDP();
-
-
- public void initialize(String chainName,
- String prefix,
- ChainConfig config) throws InitializeException {
-
- logger.debug("initialize() called. chainName = " + chainName +
- ", prefix = " + prefix);
-
- assert config != null;
-
- try {
- AuthzUtil.parseNameValueParam(prefix, config);
- } catch (ConfigException e) {
- throw new InitializeException("problem parsing configuration",e);
- }
-
- HashMap configs = new HashMap();
- String[] keys = VomsConstants.ALL_CONFIG_KEYS;
- for (int i = 0; i < keys.length; i++) {
- Object o = config.getProperty(prefix, keys[i]);
- if (o != null) {
- configs.put(keys[i], o);
- }
- }
-
- // not inserting default gridmap to configs, in 4.1+ this can just
- // be another PDP in the front of a permit-override chain
-
- try {
- this.impl.initialize(configs, chainName);
- } catch (Exception e) {
- throw new InitializeException("",e);
- }
- }
-
- public Decision canAccess(List subjectAttributeCollection,
- List resourceAttributeCollection,
- List actionAttributeCollection,
- RequestAttributes requestAttributes,
- MessageContext msgCtx)
- throws AuthorizationException {
-
- return isPermitted(requestAttributes, msgCtx);
- }
-
- public Decision canAdminister(List subjectAttributeCollection,
- List resourceAttributeCollection,
- List actionAttributeCollection,
- RequestAttributes requestAttributes,
- MessageContext msgCtx)
- throws AuthorizationException {
-
- return isPermitted(requestAttributes, msgCtx);
- }
-
- private Decision isPermitted(RequestAttributes requestAttrs,
- MessageContext msgCtx) {
-
- /* container is the issuer of this decision */
- EntityAttributes issuerEntity =
- SecureContainerConfig.getSecurityDescriptor().getContainerEntity();
-
- /**
- * requestAttributes contains Requestor, Environment, Action,
- * and Resource bags of attributes. The Decision object needs
- * Requestor.
- */
- EntityAttributes reqEntity = requestAttrs.getRequestor();
-
- /* requester information for impl */
- Subject peer = AttributeUtil.getPeerSubject(reqEntity);
- String peerIdentity = CredentialUtil.getIdentity(peer);
-
- /* operation name for impl */
- EntityAttributes actionEntity = requestAttrs.getAction();
- Attribute opAttr = AttributeUtil
- .getAttribute(actionEntity.getIdentityAttributes(),
- AttributeUtil.getOperationAttrIdentifier());
- Iterator it = opAttr.getAttributeValueSet().iterator();
- QName qname = null;
- if (it.hasNext()) {
- qname = (QName)it.next();
- }
-
- assert this.impl != null;
- int dec = this.impl.isPermitted(peer, peerIdentity, msgCtx, qname);
-
- switch (dec) {
- case PDPDecision.PERMIT:
- return new Decision(issuerEntity, reqEntity,
- Decision.PERMIT, null, null);
- case PDPDecision.DENY:
- return new Decision(issuerEntity, reqEntity,
- Decision.DENY, null, null);
- case PDPDecision.NOT_APPLICABLE:
- return new Decision(issuerEntity, reqEntity,
- Decision.NOT_APPLICABLE, null, null);
- default:
- return new Decision(issuerEntity, reqEntity,
- Decision.INDETERMINATE, null, null);
- }
- }
-
- public void close() throws CloseException {
- }
-}
View
103 plugins/authz/voms/src-proxies/4.1+/org/globus/voms/PIP.java
@@ -1,103 +0,0 @@
-/*
- * Copyright 1999-2007 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.voms;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.globus.wsrf.security.authorization.ChainConfig;
-import org.globus.wsrf.security.authorization.InitializeException;
-import org.globus.wsrf.security.authorization.PIPResponse;
-import org.globus.wsrf.security.authorization.RequestAttributes;
-import org.globus.wsrf.security.authorization.AttributeException;
-import org.globus.wsrf.security.authorization.CloseException;
-import org.globus.wsrf.security.authorization.EntityAttributes;
-import org.globus.wsrf.impl.security.util.AuthzUtil;
-import org.globus.wsrf.impl.security.util.AttributeUtil;
-import org.globus.wsrf.impl.security.util.CredentialUtil;
-import org.globus.wsrf.config.ConfigException;
-import org.globus.voms.impl.VomsConstants;
-import org.globus.voms.impl.VomsCredentialPIP;
-
-import javax.xml.rpc.handler.MessageContext;
-import javax.security.auth.Subject;
-import java.util.HashMap;
-
-/**
- * GT4.1+ compatible proxy to the VOMS authorization code.
- */
-public class PIP implements org.globus.wsrf.security.authorization.PIP {
-
- private static Log logger = LogFactory.getLog(PIP.class.getName());
-
- private VomsCredentialPIP impl = new VomsCredentialPIP();
-
- public void initialize(String chainName,
- String prefix,
- ChainConfig config)
- throws InitializeException {
-
- assert config != null;
-
- logger.debug("initialize() called. chainName = " + chainName +
- ", prefix = " + prefix);
-
- try {
- AuthzUtil.parseNameValueParam(prefix, config);
- } catch (ConfigException e) {
- throw new InitializeException("problem parsing configuration",e);
- }
-
- HashMap configs = new HashMap();
- String[] keys = VomsConstants.ALL_CONFIG_KEYS;
- for (int i = 0; i < keys.length; i++) {
- Object o = config.getProperty(prefix, keys[i]);
- if (o != null) {
- configs.put(keys[i], o);
- }
- }
-
- try {
- this.impl.initialize(configs, chainName);
- } catch (Exception e) {
- throw new InitializeException("",e);
- }
-
- }
-
- public PIPResponse collectAttributes(RequestAttributes requestAttrs,
- MessageContext ctx)
- throws AttributeException {
-
- EntityAttributes requestor = requestAttrs.getRequestor();
- Subject peer = AttributeUtil.getPeerSubject(requestor);
- String peerIdentity = CredentialUtil.getIdentity(peer);
-
- logger.debug("found peer = " + peer);
- logger.debug("found peerIdentity = " + peerIdentity);
-
- try {
- this.impl.collectAttributes(peer, peerIdentity, ctx);
- } catch (Exception e) {
- throw new AttributeException("",e);
- }
-
- return null;
- }
-
- public void close() throws CloseException {
- }
-}
View
154 plugins/authz/voms/src/org/globus/voms/impl/ACLPDP.java
@@ -1,154 +0,0 @@
-/*
- * Copyright 1999-2007 University of Chicago
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-
-package org.globus.voms.impl;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.globus.util.QuotedStringTokenizer;
-
-import javax.security.auth.Subject;
-import javax.xml.rpc.handler.MessageContext;
-import javax.xml.namespace.QName;
-import java.util.Set;
-import java.util.HashSet;
-import java.util.HashMap;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileInputStream;
-
-/**
- * This PDP checks for the existence of attributes only (could be used as a
- * basis for a DN version too if GridMap.normalizeDN() were run on the
- * contents), one per line, but allows for other strings to exist to the
- * right of the attribute.
- *
- * This is mainly to allow administrators to use grid-mapfiles as straight
- * ACLs but also use a straight attribute list (GridMap class fails to parse
- * a file without username mappings).
- */
-public class ACLPDP implements VomsConstants {
-
- private static final String COMMENT_CHARS = "#";
-
- private static Log logger = LogFactory.getLog(ACLPDP.class.getName());
-
- private File file;
- private long lastModified;
- protected Set attributeSet;
-
- public void initialize(HashMap configs, String name) throws Exception {
-
- if (configs == null) {
- throw new Exception("no configuration object");
- }
-
- Object aclFile = configs.get(ATTR_SECURITY_CONFIG_FILE);
- if (aclFile == null) {
- throw new Exception("no attribute based authorization " +
- "policy (the '" + ATTR_SECURITY_CONFIG_FILE +
- "' config key)");
- }
-
- String fileName = (String) aclFile;
- load(new File(fileName));
- }
-
- public int isPermitted(Subject peer,
- String attr,
- MessageContext msgCtx,
- QName op) {
-
-
- boolean ret = false;
-
- try {
- refresh();
- ret = this.attributeSet.contains(attr);
- } catch (Exception e) {
- // catch all, log, and return false (DENY)
- logger.error(e);
- }
-
- if (ret) {
- return PDPDecision.PERMIT;
- } else {
- return PDPDecision.DENY;
- }
- }
-
- private void refresh() throws IOException {
- if (this.file != null &&
- this.file.lastModified() != this.lastModified) {
-
- load(this.file);
- }
- }
-
- private void load(File file) throws IOException {
- InputStream in = null;
- try {
- in = new FileInputStream(file);
- this.file