001    //$HeadURL: svn+ssh://jwilden@svn.wald.intevation.org/deegree/base/branches/2.5_testing/src/org/deegree/security/owsrequestvalidator/RequestValidator.java $
002    /*----------------------------------------------------------------------------
003     This file is part of deegree, http://deegree.org/
004     Copyright (C) 2001-2009 by:
005       Department of Geography, University of Bonn
006     and
007       lat/lon GmbH
008    
009     This library is free software; you can redistribute it and/or modify it under
010     the terms of the GNU Lesser General Public License as published by the Free
011     Software Foundation; either version 2.1 of the License, or (at your option)
012     any later version.
013     This library is distributed in the hope that it will be useful, but WITHOUT
014     ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
015     FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
016     details.
017     You should have received a copy of the GNU Lesser General Public License
018     along with this library; if not, write to the Free Software Foundation, Inc.,
019     59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
020    
021     Contact information:
022    
023     lat/lon GmbH
024     Aennchenstr. 19, 53177 Bonn
025     Germany
026     http://lat-lon.de/
027    
028     Department of Geography, University of Bonn
029     Prof. Dr. Klaus Greve
030     Postfach 1147, 53001 Bonn
031     Germany
032     http://www.geographie.uni-bonn.de/deegree/
033    
034     e-mail: info@deegree.org
035    ----------------------------------------------------------------------------*/
036    package org.deegree.security.owsrequestvalidator;
037    
038    import java.util.List;
039    import java.util.Properties;
040    
041    import org.deegree.framework.log.ILogger;
042    import org.deegree.framework.log.LoggerFactory;
043    import org.deegree.framework.util.StringTools;
044    import org.deegree.model.feature.Feature;
045    import org.deegree.model.feature.FeatureProperty;
046    import org.deegree.ogcwebservices.InvalidParameterValueException;
047    import org.deegree.ogcwebservices.OGCWebServiceRequest;
048    import org.deegree.security.GeneralSecurityException;
049    import org.deegree.security.UnauthorizedException;
050    import org.deegree.security.drm.SecurityAccess;
051    import org.deegree.security.drm.SecurityAccessManager;
052    import org.deegree.security.drm.WrongCredentialsException;
053    import org.deegree.security.drm.model.RightType;
054    import org.deegree.security.drm.model.SecuredObject;
055    import org.deegree.security.drm.model.User;
056    import org.deegree.security.owsproxy.Condition;
057    import org.deegree.security.owsproxy.DefaultDBConnection;
058    import org.deegree.security.owsproxy.OperationParameter;
059    import org.deegree.security.owsproxy.SecurityConfig;
060    
061    /**
062     * basic class for validating OWS requests
063     *
064     * @author <a href="mailto:poth@lat-lon.de">Andreas Poth </a>
065     * @author last edited by: $Author: mschneider $
066     *
067     * @version $Revision: 18195 $, $Date: 2009-06-18 17:55:39 +0200 (Do, 18 Jun 2009) $
068     */
069    
070    public abstract class RequestValidator {
071    
072        private static ILogger LOG = LoggerFactory.getLogger( RequestValidator.class );
073    
074        private static final String VERSION = "version";
075    
076        private static final String EXCEPTION = "exception";
077    
078        // message strings
079        private static final String INVALIDEXCEPTIONS = Messages.getString( "RequestValidator.INVALIDEXCEPTIONS" );
080    
081        private static final String UNAUTORIZEDACCESS = Messages.getString( "RequestValidator.UNAUTORIZEDACCESS" );
082    
083        protected Policy policy = null;
084    
085        protected GeneralPolicyValidator gpv = null;
086    
087        protected boolean userCoupled = false;
088    
089        protected SecurityConfig securityConfig = null;
090    
091        /**
092         * @param policy
093         */
094        public RequestValidator( Policy policy ) {
095            this.policy = policy;
096            Condition cond = policy.getGeneralCondition();
097            gpv = new GeneralPolicyValidator( cond );
098            securityConfig = policy.getSecurityConfig();
099            if ( securityConfig != null ) {
100                DefaultDBConnection db = securityConfig.getRegistryConfig().getDbConnection();
101                Properties properties = new Properties();
102                properties.setProperty( "driver", db.getDirver() );
103                properties.setProperty( "url", db.getUrl() );
104                properties.setProperty( "user", db.getUser() );
105                properties.setProperty( "password", db.getPassword() );
106                try {
107                    if ( !SecurityAccessManager.isInitialized() ) {
108                        SecurityAccessManager.initialize( securityConfig.getRegistryClass(), properties,
109                                                          securityConfig.getReadWriteTimeout() * 1000 );
110                    }
111                } catch ( GeneralSecurityException e1 ) {
112                    LOG.logError( e1.getMessage(), e1 );
113                    e1.printStackTrace();
114                }
115            }
116        }
117    
118        /**
119         * @return Returns the policy.
120         */
121        public Policy getPolicy() {
122            return policy;
123        }
124    
125        /**
126         * @param policy
127         *            The policy to set.
128         */
129        public void setPolicy( Policy policy ) {
130            this.policy = policy;
131        }
132    
133        /**
134         * validates if the passed request itself and its content is valid against the conditions defined in the policies
135         * assigned to a <tt>OWSPolicyValidator</tt>
136         *
137         * @param request
138         * @param user
139         * @throws InvalidParameterValueException
140         * @throws UnauthorizedException
141         */
142        public abstract void validateRequest( OGCWebServiceRequest request, User user )
143                                throws InvalidParameterValueException, UnauthorizedException;
144    
145        /**
146         *
147         * @param condition
148         * @param version
149         * @throws InvalidParameterValueException
150         */
151        protected void validateVersion( Condition condition, String version )
152                                throws InvalidParameterValueException {
153            OperationParameter op = condition.getOperationParameter( VERSION );
154    
155            // version is valid because no restrictions are made
156            if ( op.isAny() ) {
157                return;
158            }
159            List list = op.getValues();
160            if ( !list.contains( version ) ) {
161                if ( !op.isUserCoupled() ) {
162                    String INVALIDVERSION = Messages.format( "RequestValidator.INVALIDVERSION", version );
163                    throw new InvalidParameterValueException( INVALIDVERSION );
164                }
165                userCoupled = true;
166            }
167    
168        }
169    
170        /**
171         * checks if the passed exceptions format is valid against the exceptions formats defined in the policy. If
172         * <tt>user</ff> != <tt>null</tt> the valid exceptions formats will be read from the user/rights repository
173         *
174         * @param condition
175         *            condition containing the definition of the valid exceptions
176         * @param exceptions
177         * @throws InvalidParameterValueException
178         */
179        protected void validateExceptions( Condition condition, String exceptions )
180                                throws InvalidParameterValueException {
181    
182            OperationParameter op = condition.getOperationParameter( EXCEPTION );
183    
184            // version is valid because no restrictions are made
185            if ( op.isAny() )
186                return;
187    
188            List list = op.getValues();
189            if ( !list.contains( exceptions ) ) {
190                if ( !op.isUserCoupled() ) {
191                    throw new InvalidParameterValueException( INVALIDEXCEPTIONS + exceptions );
192                }
193                userCoupled = true;
194            }
195    
196        }
197    
198        /**
199         * handles the validation of user coupled parameters of a request
200         *
201         * @param user
202         * @param feature
203         * @param secObjName
204         * @param secObjType
205         * @param rightType
206         * @throws UnauthorizedException
207         * @throws InvalidParameterValueException
208         */
209        protected void handleUserCoupledRules( User user, Feature feature, String secObjName, String secObjType,
210                                               RightType rightType )
211                                throws UnauthorizedException, InvalidParameterValueException {
212            try {
213                SecurityAccessManager sam = SecurityAccessManager.getInstance();
214                SecurityAccess access = sam.acquireAccess( user );
215                SecuredObject secObj = access.getSecuredObjectByName( secObjName, secObjType );
216    
217                if ( LOG.isDebug() ) {
218                    LOG.logDebug( "Checking rule for", secObjName + " -> " + secObjType );
219                    LOG.logDebug( "Right type is", rightType.getName() );
220                    for ( FeatureProperty p : feature.getProperties() ) {
221                        LOG.logDebug( "Feature property name: " + p.getName().getPrefixedName() );
222                        LOG.logDebug( "Feature property value: ", p.getValue() );
223                    }
224                    LOG.logDebug( "For user", user );
225                }
226    
227                if ( !user.hasRight( access, rightType, feature, secObj ) ) {
228                    if ( securityConfig.getProxiedUrl() != null ) {
229                        String name = secObjName.substring( secObjName.indexOf( "]" ) + 1 );
230                        throw new UnauthorizedException( UNAUTORIZEDACCESS + name + ':' + feature );
231                    }
232                    throw new UnauthorizedException( UNAUTORIZEDACCESS + secObjName + ':' + feature );
233                }
234            } catch ( WrongCredentialsException e ) {
235                throw new UnauthorizedException( e.getMessage() );
236            } catch ( GeneralSecurityException e ) {
237                e.printStackTrace();
238                throw new UnauthorizedException( e.getMessage() );
239            } catch ( Exception e ) {
240                throw new InvalidParameterValueException( StringTools.stackTraceToString( e ) );
241            }
242        }
243    
244    }