org.edg.security.voms.database
Class DBACL

java.lang.Object
  |
  +--org.edg.security.voms.database.DBACL

public final class DBACL
extends java.lang.Object

A class representing and checking ACLs in a VO. Essentially, a wrapper class for the acl table.

Version:
$Name: v0_7_0 $
Author:
Karoly Lorentey, Akos Frohner

Field Summary
private  long id
          The id of this ACL.
private static org.apache.log4j.Logger log
          Logger.
private  DBContainer owner
          The container object that is the owner of this ACL.
(package private) static Sequence seq
          Sequence.
 
Constructor Summary
private DBACL(long id, DBContainer owner)
          Private constructor.
 
Method Summary
 void addACLEntry(ACLEntryHelper entry)
          Add an ACL entry to this ACL.
private  boolean checkACLEntryForAdmin(Operation o, DBAdmin admin, java.lang.String clientName, java.lang.String issuerName)
          Checks a matching ACL entry for the given operation.
 boolean checkACLEntryForAttribute(Operation o, java.lang.String attribute, java.lang.String clientName, java.lang.String issuerName)
           
 boolean checkACLEntryForGroup(Operation o, java.lang.String groupname, java.lang.String clientName, java.lang.String issuerName)
           
 boolean checkACLEntryForRole(Operation o, QualifiedRole role, java.lang.String clientName, java.lang.String issuerName)
           
 void checkPermission(Operation o)
          Check if the current user is allowed to perform an operation.
 long copyACL()
          Creates a new copy of this ACL.
 long countACLEntries()
          Counts the ACL entries of this ACL.
 void deleteACL()
          Remove this ACL from the database.
 ACLEntryHelper[] getACLEntries()
          Returns the ACL entries of this ACL.
 ACLEntryHelper getACLEntry(Operation o, DBAdmin admin)
          Returns the ACL entry corresponding to the given operation-administrator pair.
 java.util.List getAdminUsersForOperation(Operation o)
          Convenience method: returns the list of users, who also play administrative role for the given operation.
(package private)  long getId()
          Return the id of this ACL.
(package private) static DBACL getInstance(long id, DBContainer owner)
          Return the ACL with the given id.
 DBContainer getOwner()
          Return the owner of this ACL.
 void removeACLEntry(ACLEntryHelper entry)
          Remove a single entry from an ACL.
 void removeAllACLEntries()
          Remove all entries from an ACL.
 void setACLEntries(ACLEntryHelper[] entries)
          Replace the ACL with a new set of entries.
 java.lang.String toString()
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

log

private static final org.apache.log4j.Logger log
Logger.


id

private long id
The id of this ACL.


seq

static final Sequence seq
Sequence.


owner

private DBContainer owner
The container object that is the owner of this ACL.

Constructor Detail

DBACL

private DBACL(long id,
              DBContainer owner)
       throws DatabaseError,
              NotInDatabase
Private constructor. Simply sets the fields to the given values.

Method Detail

getInstance

static DBACL getInstance(long id,
                         DBContainer owner)
                  throws DatabaseError,
                         NotInDatabase
Return the ACL with the given id. Note that this method does not need to access the database -- empty ACLs have no representation in the database.

Parameters:
id - The id of the ACL to return.
owner - The owner of this ACL (for logging purposes).
Returns:
the ACL with the given id.
DatabaseError
NotInDatabase

getOwner

public DBContainer getOwner()
Return the owner of this ACL.


getId

long getId()
Return the id of this ACL.


toString

public java.lang.String toString()
Overrides:
toString in class java.lang.Object

checkPermission

public void checkPermission(Operation o)
                     throws GeneralDatabaseException,
                            VOMSSecurityException
Check if the current user is allowed to perform an operation. The method gathers the user's attributes and other security information from the SecurityContext. The other half of the information is in the ACL table. If the client connects from localhost and the configuration option voms.localhost.has.bypass is true, then the ACL check will be bypassed.

Otherwise the method iterates through the user's name and approved attributes and tries to match them with the ACL entries. If it finds at least one allow entry and it doesn't find any deny entries, then it will allow the operation by returning normally.

If the routine finds a deny entry or doesn't find any allow entries, then it will throw a VOMSSecurityException.

Parameters:
o - the requested operation on the object
Returns:
The method returns normally when the access is granted.
Throws:
VOMSSecurityException - when the access is denied.
DatabaseError - if an SQL error occurs.
InconsistentDatabase - if a database inconsistency is detected.
GeneralDatabaseException
See Also:
AuthorizationManager, SecurityContext

checkACLEntryForAdmin

private boolean checkACLEntryForAdmin(Operation o,
                                      DBAdmin admin,
                                      java.lang.String clientName,
                                      java.lang.String issuerName)
                               throws GeneralDatabaseException,
                                      VOMSSecurityException
Checks a matching ACL entry for the given operation.

Returns:
true if there is matching allow entry.
Throws:
VOMSSecurityException - if there is a matching deny entry.
GeneralDatabaseException

checkACLEntryForAttribute

public boolean checkACLEntryForAttribute(Operation o,
                                         java.lang.String attribute,
                                         java.lang.String clientName,
                                         java.lang.String issuerName)
                                  throws GeneralDatabaseException,
                                         VOMSSecurityException
GeneralDatabaseException
VOMSSecurityException

checkACLEntryForGroup

public boolean checkACLEntryForGroup(Operation o,
                                     java.lang.String groupname,
                                     java.lang.String clientName,
                                     java.lang.String issuerName)
                              throws GeneralDatabaseException,
                                     VOMSSecurityException
GeneralDatabaseException
VOMSSecurityException

checkACLEntryForRole

public boolean checkACLEntryForRole(Operation o,
                                    QualifiedRole role,
                                    java.lang.String clientName,
                                    java.lang.String issuerName)
                             throws GeneralDatabaseException,
                                    VOMSSecurityException
GeneralDatabaseException
VOMSSecurityException

getAdminUsersForOperation

public java.util.List getAdminUsersForOperation(Operation o)
                                         throws GeneralDatabaseException
Convenience method: returns the list of users, who also play administrative role for the given operation. The returned userlist can be zero length, while there are some explicit admin entries without internal users.
The original goal of this method is to return the list of administrator users for the notification system. From this userlist the notification system can extract the email addresses and send emails to the operative personel.
The reason for not returning admin entries is that there is no email address associated with them. If the admins table would be changed to include it, then this call should return admin entries as well.

Parameters:
o - the requested operation on the object
Returns:
The list of users, who can perform the requeted action.
Throws:
DatabaseError - if an SQL error occurs.
InconsistentDatabase - if a database inconsistency is detected.
GeneralDatabaseException
See Also:
org.edg.security.voms.operation.Action.getAdminUsers

countACLEntries

public long countACLEntries()
                     throws GeneralDatabaseException
Counts the ACL entries of this ACL.

GeneralDatabaseException

getACLEntry

public ACLEntryHelper getACLEntry(Operation o,
                                  DBAdmin admin)
                           throws GeneralDatabaseException
Returns the ACL entry corresponding to the given operation-administrator pair.

Returns:
null if there is no such pair.
GeneralDatabaseException

getACLEntries

public ACLEntryHelper[] getACLEntries()
                               throws GeneralDatabaseException
Returns the ACL entries of this ACL.

GeneralDatabaseException

removeACLEntry

public void removeACLEntry(ACLEntryHelper entry)
                    throws GeneralDatabaseException,
                           ArgumentException,
                           NotInDatabase
Remove a single entry from an ACL.

GeneralDatabaseException
ArgumentException
NotInDatabase

removeAllACLEntries

public void removeAllACLEntries()
                         throws GeneralDatabaseException
Remove all entries from an ACL.

GeneralDatabaseException

addACLEntry

public void addACLEntry(ACLEntryHelper entry)
                 throws ArgumentException,
                        GeneralDatabaseException
Add an ACL entry to this ACL.

Throws:
ArgumentException - if we already have an entry for this admin-operation pair.
GeneralDatabaseException

setACLEntries

public void setACLEntries(ACLEntryHelper[] entries)
                   throws ArgumentException,
                          GeneralDatabaseException
Replace the ACL with a new set of entries.

ArgumentException
GeneralDatabaseException

copyACL

public long copyACL()
             throws GeneralDatabaseException
Creates a new copy of this ACL. Can not return the ACL object itself, because its owner is unknown, possibly doesn't even exist yet.

Returns:
the id of the newly created ACL.
Throws:
java.lang.IllegalArgumentException - if any of the arguments is null.
GeneralDatabaseException

deleteACL

public void deleteACL()
               throws GeneralDatabaseException
Remove this ACL from the database. Moves all entries of this ACL to the acld table.

GeneralDatabaseException