org.glite.security.voms.database
Class DBACL

java.lang.Object
  extended byorg.glite.security.voms.database.cache.TimedCacheable
      extended byorg.glite.security.voms.database.DBACL
All Implemented Interfaces:
Cacheable, java.lang.Cloneable

public final class DBACL
extends TimedCacheable
implements Cacheable

A class representing and checking ACLs in a VO. Essentially, a wrapper class for the acl table.

Author:
Karoly Lorentey, Akos Frohner

Method Summary
 void addACLEntry(ACLEntry entry)
          Add an ACL entry to this ACL.
 boolean checkACLEntryForAttribute(Operation o, java.lang.String attribute, java.lang.String clientName, java.lang.String issuerName)
           
 boolean checkACLEntryForGroup(Operation o, java.lang.String groupname, java.lang.String clientName, java.lang.String issuerName)
           
 boolean checkACLEntryForRole(Operation o, java.lang.String role, java.lang.String clientName, java.lang.String issuerName)
           
 void checkPermission(Operation o)
          Check if the current user is allowed to perform a specific operation.
 java.lang.Object clone()
          Return a copy of this DBACL instance.
 long copyACL()
          Creates a new copy of this ACL, returning its id.
 long countACLEntries()
          Counts the ACL entries of this ACL.
static long create()
          Creates a new empty ACL.
 void deleteACL()
          Remove this ACL from the database.
 boolean equals(java.lang.Object o)
          Returns true if Object is a DBACL with the same id.
 ACLEntry[] getACLEntries()
          Returns the ACL entries of this ACL.
 ACLEntry getACLEntry(Operation o, DBAdmin admin, boolean appendGlobal)
          Returns the ACL entry corresponding to the given operation-administrator pair.
static DBACL getGlobalACL()
          Return the global access control list.
 java.lang.Object[] getKeys()
          Return the keys that are used to refer to this instance in RowCache.
 DBContainer getOwner()
          Return the owner of this ACL.
static DBACL getReadOnlyGlobalACL()
          Return the global access control list for access control.
 boolean hasDeny()
          Return true if this or the Global ACL has a deny rule.
 boolean isGlobalACL()
          Returns true if this is the Global ACL.
 boolean isReadOnly()
          Return true if this is an inmutable instance.
 void refresh()
          Refresh this row, i.e. retrieve it again from the database.
 void removeACLEntry(ACLEntry entry)
          Remove a single entry from an ACL.
 void removeAllACLEntries()
          Remove all entries from an ACL.
 void setACLEntries(ACLEntry[] entries)
          Replace the ACL with a new set of entries.
 java.lang.String toString()
           
 
Methods inherited from class org.glite.security.voms.database.cache.TimedCacheable
needsRefresh
 
Methods inherited from class java.lang.Object
finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 
Methods inherited from interface org.glite.security.voms.database.cache.Cacheable
needsRefresh
 

Method Detail

refresh

public void refresh()
             throws GeneralDatabaseException
Description copied from interface: Cacheable
Refresh this row, i.e. retrieve it again from the database.

Specified by:
refresh in interface Cacheable
Overrides:
refresh in class TimedCacheable
Throws:
GeneralDatabaseException

clone

public java.lang.Object clone()
Return a copy of this DBACL instance. The owner is set to null in the cloned instance. The copy will not share the data structures for the entry list as the original instance.

Specified by:
clone in interface Cacheable
Overrides:
clone in class TimedCacheable

equals

public boolean equals(java.lang.Object o)
Returns true if Object is a DBACL with the same id.


getKeys

public java.lang.Object[] getKeys()
Description copied from interface: Cacheable
Return the keys that are used to refer to this instance in RowCache.

Specified by:
getKeys in interface Cacheable
Specified by:
getKeys in class TimedCacheable

getGlobalACL

public static DBACL getGlobalACL()
                          throws GeneralDatabaseException
Return the global access control list.

Returns:
the global ACL.
Throws:
GeneralDatabaseException

getReadOnlyGlobalACL

public static DBACL getReadOnlyGlobalACL()
                                  throws GeneralDatabaseException
Return the global access control list for access control.

Returns:
the global ACL.
Throws:
GeneralDatabaseException

getOwner

public DBContainer getOwner()
Return the owner of this ACL. Returns null if this is the global ACL.


isGlobalACL

public boolean isGlobalACL()
Returns true if this is the Global ACL.


isReadOnly

public boolean isReadOnly()
Return true if this is an inmutable instance.


hasDeny

public boolean hasDeny()
Return true if this or the Global ACL has a deny rule.


toString

public java.lang.String toString()

checkPermission

public void checkPermission(Operation o)
                     throws GeneralDatabaseException,
                            VOMSSecurityException
Check if the current user is allowed to perform a specific operation. The method gathers the user's attributes and other security information from the SecurityContext. The other half of the information is in the ACL table.

This method is only used for fine-grained authorization. It expects that the client's authentication has already been set up by Update.begin or Query.get.

If the client connects from localhost and the configuration option voms.localhost.has.bypass is true, then the ACL check will be bypassed.

Otherwise the method iterates through the user's name and approved attributes and tries to match them with the ACL entries. If it finds at least one allow entry and it doesn't find any deny entries, then it will allow the operation by returning normally.

If the routine finds a deny entry or doesn't find any allow entries, then it will throw a VOMSSecurityException. The method returns normally when the access is granted.

Parameters:
o - the requested operation on the object
Throws:
VOMSSecurityException - when the access is denied.
DatabaseError - if an SQL error occurs.
InconsistentDatabase - if a database inconsistency is detected.
GeneralDatabaseException
See Also:
Query.get(), Update.begin(), "org.glite.security.authorization.AuthorizationManager", "org.glite.security.info.SecurityContext"

checkACLEntryForAttribute

public boolean checkACLEntryForAttribute(Operation o,
                                         java.lang.String attribute,
                                         java.lang.String clientName,
                                         java.lang.String issuerName)
                                  throws GeneralDatabaseException,
                                         VOMSSecurityException
Throws:
GeneralDatabaseException
VOMSSecurityException

checkACLEntryForGroup

public boolean checkACLEntryForGroup(Operation o,
                                     java.lang.String groupname,
                                     java.lang.String clientName,
                                     java.lang.String issuerName)
                              throws GeneralDatabaseException,
                                     VOMSSecurityException
Throws:
GeneralDatabaseException
VOMSSecurityException

checkACLEntryForRole

public boolean checkACLEntryForRole(Operation o,
                                    java.lang.String role,
                                    java.lang.String clientName,
                                    java.lang.String issuerName)
                             throws GeneralDatabaseException,
                                    VOMSSecurityException
Throws:
GeneralDatabaseException
VOMSSecurityException

create

public static long create()
                   throws GeneralDatabaseException
Creates a new empty ACL. Normally you will need copyACL instead of this method. The one exception is during database deployment, when the VO group is created.

Throws:
GeneralDatabaseException

copyACL

public long copyACL()
             throws GeneralDatabaseException
Creates a new copy of this ACL, returning its id. Can not return the ACL object itself, because its owner is unknown, possibly doesn't even exist yet. It is legal to call this operation on an inmutable ACL instance.

Returns:
the id of the newly created ACL.
Throws:
java.lang.IllegalArgumentException - if any of the arguments is null.
GeneralDatabaseException

countACLEntries

public long countACLEntries()
                     throws GeneralDatabaseException
Counts the ACL entries of this ACL.

Throws:
GeneralDatabaseException

getACLEntry

public ACLEntry getACLEntry(Operation o,
                            DBAdmin admin,
                            boolean appendGlobal)
                     throws GeneralDatabaseException,
                            ArgumentException
Returns the ACL entry corresponding to the given operation-administrator pair.

Parameters:
o - the operation to look up.
admin - the principal to look up.
appendGlobal - if true, also look into the global ACL.
Returns:
null if there is no such pair.
Throws:
GeneralDatabaseException
ArgumentException

getACLEntries

public ACLEntry[] getACLEntries()
                         throws GeneralDatabaseException
Returns the ACL entries of this ACL.

Throws:
GeneralDatabaseException

removeACLEntry

public void removeACLEntry(ACLEntry entry)
                    throws GeneralDatabaseException,
                           ArgumentException,
                           NotInDatabase
Remove a single entry from an ACL.

Throws:
GeneralDatabaseException
ArgumentException
NotInDatabase

removeAllACLEntries

public void removeAllACLEntries()
                         throws GeneralDatabaseException
Remove all entries from an ACL.

Throws:
GeneralDatabaseException

addACLEntry

public void addACLEntry(ACLEntry entry)
                 throws ArgumentException,
                        GeneralDatabaseException
Add an ACL entry to this ACL.

Throws:
ArgumentException - if we already have an entry for this admin-operation pair.
GeneralDatabaseException

setACLEntries

public void setACLEntries(ACLEntry[] entries)
                   throws ArgumentException,
                          GeneralDatabaseException
Replace the ACL with a new set of entries.

Throws:
ArgumentException
GeneralDatabaseException

deleteACL

public void deleteACL()
               throws GeneralDatabaseException
Remove this ACL from the database. Moves all entries of this ACL to the acld table.

Throws:
GeneralDatabaseException