001 //$HeadURL: svn+ssh://jwilden@svn.wald.intevation.org/deegree/base/branches/2.5_testing/src/org/deegree/security/owsrequestvalidator/wfs/TransactionValidator.java $
002 /*----------------------------------------------------------------------------
003 This file is part of deegree, http://deegree.org/
004 Copyright (C) 2001-2009 by:
005 Department of Geography, University of Bonn
006 and
007 lat/lon GmbH
008
009 This library is free software; you can redistribute it and/or modify it under
010 the terms of the GNU Lesser General Public License as published by the Free
011 Software Foundation; either version 2.1 of the License, or (at your option)
012 any later version.
013 This library is distributed in the hope that it will be useful, but WITHOUT
014 ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
015 FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
016 details.
017 You should have received a copy of the GNU Lesser General Public License
018 along with this library; if not, write to the Free Software Foundation, Inc.,
019 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
020
021 Contact information:
022
023 lat/lon GmbH
024 Aennchenstr. 19, 53177 Bonn
025 Germany
026 http://lat-lon.de/
027
028 Department of Geography, University of Bonn
029 Prof. Dr. Klaus Greve
030 Postfach 1147, 53001 Bonn
031 Germany
032 http://www.geographie.uni-bonn.de/deegree/
033
034 e-mail: info@deegree.org
035 ----------------------------------------------------------------------------*/
036 package org.deegree.security.owsrequestvalidator.wfs;
037
038 import static org.deegree.portal.standard.security.control.ClientHelper.TYPE_FEATURETYPE;
039 import static org.deegree.security.drm.model.RightType.DELETE;
040 import static org.deegree.security.drm.model.RightType.INSERT;
041 import static org.deegree.security.drm.model.RightType.UPDATE;
042
043 import java.io.IOException;
044 import java.util.ArrayList;
045 import java.util.HashMap;
046 import java.util.List;
047 import java.util.Map;
048
049 import org.deegree.datatypes.QualifiedName;
050 import org.deegree.datatypes.Types;
051 import org.deegree.framework.log.ILogger;
052 import org.deegree.framework.log.LoggerFactory;
053 import org.deegree.framework.util.StringTools;
054 import org.deegree.framework.xml.XMLParsingException;
055 import org.deegree.i18n.Messages;
056 import org.deegree.model.feature.Feature;
057 import org.deegree.model.feature.FeatureFactory;
058 import org.deegree.model.feature.FeatureProperty;
059 import org.deegree.model.feature.schema.FeatureType;
060 import org.deegree.model.feature.schema.PropertyType;
061 import org.deegree.model.filterencoding.ComplexFilter;
062 import org.deegree.model.filterencoding.FeatureFilter;
063 import org.deegree.model.filterencoding.Filter;
064 import org.deegree.model.filterencoding.FilterConstructionException;
065 import org.deegree.model.filterencoding.OperationDefines;
066 import org.deegree.ogcwebservices.InvalidParameterValueException;
067 import org.deegree.ogcwebservices.OGCWebServiceRequest;
068 import org.deegree.ogcwebservices.wfs.XMLFactory;
069 import org.deegree.ogcwebservices.wfs.operation.Query;
070 import org.deegree.ogcwebservices.wfs.operation.transaction.Delete;
071 import org.deegree.ogcwebservices.wfs.operation.transaction.Insert;
072 import org.deegree.ogcwebservices.wfs.operation.transaction.Transaction;
073 import org.deegree.ogcwebservices.wfs.operation.transaction.TransactionOperation;
074 import org.deegree.ogcwebservices.wfs.operation.transaction.Update;
075 import org.deegree.portal.standard.security.control.ClientHelper;
076 import org.deegree.security.GeneralSecurityException;
077 import org.deegree.security.UnauthorizedException;
078 import org.deegree.security.drm.SecurityAccess;
079 import org.deegree.security.drm.SecurityAccessManager;
080 import org.deegree.security.drm.model.Right;
081 import org.deegree.security.drm.model.RightSet;
082 import org.deegree.security.drm.model.RightType;
083 import org.deegree.security.drm.model.SecuredObject;
084 import org.deegree.security.drm.model.User;
085 import org.deegree.security.owsproxy.Condition;
086 import org.deegree.security.owsproxy.OperationParameter;
087 import org.deegree.security.owsproxy.Request;
088 import org.deegree.security.owsrequestvalidator.Policy;
089 import org.w3c.dom.Element;
090 import org.xml.sax.SAXException;
091
092 /**
093 * Validator for OGC CSW Transaction requests. It will validated values of:<br>
094 * <ul>
095 * <li>service version</li>
096 * <li>operation</li>
097 * <li>type names</li>
098 * <li>metadata standard</li>
099 * </ul>
100 *
101 * @version $Revision: 18195 $
102 * @author <a href="mailto:poth@lat-lon.de">Andreas Poth</a>
103 * @author last edited by: $Author: mschneider $
104 *
105 * @version 1.0. $Revision: 18195 $, $Date: 2009-06-18 17:55:39 +0200 (Do, 18 Jun 2009) $
106 *
107 * @since 2.0
108 */
109 public class TransactionValidator extends AbstractWFSRequestValidator {
110
111 private static final ILogger LOG = LoggerFactory.getLogger( TransactionValidator.class );
112
113 private final static String TYPENAME = "typeName";
114
115 private static Map<QualifiedName, Filter> filterMap = new HashMap<QualifiedName, Filter>();
116
117 private static FeatureType insertFT = null;
118
119 private static FeatureType updateFT = null;
120
121 private static FeatureType deleteFT = null;
122
123 static {
124 if ( insertFT == null ) {
125 insertFT = TransactionValidator.createInsertFeatureType();
126 }
127 if ( updateFT == null ) {
128 updateFT = TransactionValidator.createUpdateFeatureType();
129 }
130 if ( deleteFT == null ) {
131 deleteFT = TransactionValidator.createDeleteFeatureType();
132 }
133 }
134
135 /**
136 *
137 * @param policy
138 */
139 public TransactionValidator( Policy policy ) {
140 super( policy );
141 }
142
143 @Override
144 public void validateRequest( OGCWebServiceRequest request, User user )
145 throws InvalidParameterValueException, UnauthorizedException {
146
147 userCoupled = false;
148
149 Transaction wfsreq = (Transaction) request;
150
151 List<TransactionOperation> ops = wfsreq.getOperations();
152 for ( int i = 0; i < ops.size(); i++ ) {
153 userCoupled = false;
154 if ( ops.get( i ) instanceof Insert ) {
155 Request req = policy.getRequest( "WFS", "WFS_Insert" );
156 if ( !req.isAny() && !req.getPreConditions().isAny() ) {
157 Condition condition = req.getPreConditions();
158 validateOperation( condition, (Insert) ops.get( i ) );
159 }
160 if ( userCoupled ) {
161 validateAgainstRightsDB( (Insert) ops.get( i ), user );
162 }
163 } else if ( ops.get( i ) instanceof Update ) {
164 Request req = policy.getRequest( "WFS", "WFS_Update" );
165 if ( !req.isAny() && !req.getPreConditions().isAny() ) {
166 Condition condition = req.getPreConditions();
167 validateOperation( condition, (Update) ops.get( i ) );
168 }
169 if ( userCoupled ) {
170 validateAgainstRightsDB( (Update) ops.get( i ), user );
171 }
172 if ( req.getPostConditions() != null ) {
173 addFilter( ops.get( i ), req.getPostConditions(), user );
174 }
175 } else if ( ops.get( i ) instanceof Delete ) {
176 Request req = policy.getRequest( "WFS", "WFS_Delete" );
177 if ( !req.isAny() && !req.getPreConditions().isAny() ) {
178 Condition condition = req.getPreConditions();
179 validateOperation( condition, (Delete) ops.get( i ) );
180 }
181 if ( userCoupled ) {
182 validateAgainstRightsDB( (Delete) ops.get( i ), user );
183 }
184 if ( req.getPostConditions() != null ) {
185 addFilter( ops.get( i ), req.getPostConditions(), user );
186 }
187 }
188 }
189
190 if ( LOG.getLevel() == ILogger.LOG_DEBUG ) {
191 try {
192 XMLFactory.export( wfsreq ).prettyPrint( System.out );
193 } catch ( Exception e ) {
194 // nottin
195 }
196 }
197
198 }
199
200 /**
201 * adds a filter to the passed opertaion. If the condition is userCoupled the filter will be read from the DRM
202 * otherwise it is read from the current WFS policy file
203 *
204 * @param operation
205 * @param postConditions
206 * @param user
207 * @throws InvalidParameterValueException
208 * @throws UnauthorizedException
209 */
210 private void addFilter( TransactionOperation operation, Condition postConditions, User user )
211 throws InvalidParameterValueException, UnauthorizedException {
212 if ( postConditions.getOperationParameter( "instanceFilter" ) != null ) {
213 Filter opFilter = null;
214 if ( operation instanceof Update ) {
215 opFilter = ( (Update) operation ).getFilter();
216 } else {
217 opFilter = ( (Delete) operation ).getFilter();
218 }
219 Filter filter = null;
220 if ( postConditions.getOperationParameter( "instanceFilter" ).isUserCoupled() ) {
221 // read filterMap from constraints defined in deegree DRM
222 filter = readFilterFromDRM( operation, user );
223 } else {
224 fillFilterMap( postConditions );
225 // use filterMap read from policy document
226 filter = filterMap.get( operation.getAffectedFeatureTypes().get( 0 ) );
227 }
228
229 if ( opFilter instanceof ComplexFilter ) {
230 // create a new Filter that is a combination of the
231 // original filter and the one defined in the GetFeatures
232 // PostConditions coupled by a logical 'And'
233 ComplexFilter qFilter = (ComplexFilter) opFilter;
234 if ( filter == null ) {
235 filter = qFilter;
236 } else {
237 filter = new ComplexFilter( qFilter, (ComplexFilter) filter, OperationDefines.AND );
238 }
239 } else if ( opFilter instanceof FeatureFilter ) {
240 // just take original filter if it is as feature filter
241 // because feature filter and complex filters can not
242 // be combined
243 filter = opFilter;
244 }
245 if ( operation instanceof Update ) {
246 ( (Update) operation ).setFilter( filter );
247 } else {
248 ( (Delete) operation ).setFilter( filter );
249 }
250 }
251 }
252
253 /**
254 * reads a filter m
255 *
256 * @param operation
257 * @param user
258 * @return the defined filter for the given operation or <code>null</code> if no such filter was found.
259 * @throws UnauthorizedException
260 * @throws InvalidParameterValueException
261 */
262 private Filter readFilterFromDRM( TransactionOperation operation, User user )
263 throws UnauthorizedException, InvalidParameterValueException {
264 Filter f = null;
265 try {
266 SecurityAccessManager sam = SecurityAccessManager.getInstance();
267 SecurityAccess access = sam.acquireAccess( user );
268
269 QualifiedName qn = operation.getAffectedFeatureTypes().get( 0 );
270 SecuredObject secObj = access.getSecuredObjectByName( qn.getFormattedString(),
271 ClientHelper.TYPE_FEATURETYPE );
272
273 RightSet rs = user.getRights( access, secObj );
274 Right right = null;
275 if ( operation instanceof Update ) {
276 right = rs.getRight( secObj, RightType.UPDATE_RESPONSE );
277 } else {
278 right = rs.getRight( secObj, RightType.DELETE_RESPONSE );
279 }
280
281 // a constraint - if available - is constructed as a OGC Filter
282 // one of the filter operations may is 'PropertyIsEqualTo' and
283 // defines a ProperyName == 'instanceFilter'. The Literal of this
284 // operation itself is a complete and valid Filter expression.
285 if ( right != null ) {
286 ComplexFilter filter = (ComplexFilter) right.getConstraints();
287 if ( filter != null ) {
288 // extract filter expression to be used as additional
289 // filter for a GetFeature request
290 filter = extractInstanceFilter( filter.getOperation() );
291 if ( filter != null ) {
292 f = filter;
293 }
294 }
295 }
296
297 } catch ( GeneralSecurityException e ) {
298 LOG.logError( e.getMessage(), e );
299 throw new UnauthorizedException( e.getMessage(), e );
300 } catch ( FilterConstructionException e ) {
301 LOG.logError( e.getMessage(), e );
302 throw new InvalidParameterValueException( e.getMessage(), e );
303 } catch ( SAXException e ) {
304 LOG.logError( e.getMessage(), e );
305 throw new InvalidParameterValueException( e.getMessage(), e );
306 } catch ( IOException e ) {
307 LOG.logError( e.getMessage(), e );
308 throw new InvalidParameterValueException( e.getMessage(), e );
309 }
310 return f;
311 }
312
313 private void fillFilterMap( Condition postConditions )
314 throws InvalidParameterValueException {
315 List<Element> complexValues = postConditions.getOperationParameter( "instanceFilter" ).getComplexValues();
316 try {
317 if ( filterMap.size() == 0 ) {
318 for ( int i = 0; i < complexValues.size(); i++ ) {
319 Query q = Query.create( complexValues.get( 0 ) );
320 Filter f = q.getFilter();
321 QualifiedName qn = q.getTypeNames()[0];
322 filterMap.put( qn, f );
323 }
324 }
325 } catch ( XMLParsingException e ) {
326 LOG.logError( e.getMessage(), e );
327 throw new InvalidParameterValueException( this.getClass().getName(), e.getMessage() );
328 }
329 }
330
331 /**
332 *
333 * @param condition
334 * @param insert
335 * @throws InvalidParameterValueException
336 */
337 private void validateOperation( Condition condition, Insert insert )
338 throws InvalidParameterValueException {
339
340 OperationParameter op = condition.getOperationParameter( TYPENAME );
341
342 // version is valid because no restrictions are made
343 if ( op.isAny() ) {
344 return;
345 }
346
347 if ( op.isUserCoupled() ) {
348 userCoupled = true;
349 } else {
350 List<String> vals = op.getValues();
351 List<QualifiedName> fts = insert.getAffectedFeatureTypes();
352 for ( int i = 0; i < fts.size(); i++ ) {
353 String qn = fts.get( i ).getFormattedString();
354 if ( !vals.contains( qn ) ) {
355 String s = Messages.getMessage( "OWSPROXY_NOT_ALLOWED_FEATURETYPE", "insert", qn );
356 throw new InvalidParameterValueException( s );
357 }
358 }
359 }
360 }
361
362 /**
363 *
364 * @param condition
365 * @param delete
366 * @throws InvalidParameterValueException
367 */
368 private void validateOperation( Condition condition, Delete delete )
369 throws InvalidParameterValueException {
370 OperationParameter op = condition.getOperationParameter( TYPENAME );
371
372 // version is valid because no restrictions are made
373 if ( op.isAny() ) {
374 return;
375 }
376
377 if ( op.isUserCoupled() ) {
378 userCoupled = true;
379 } else {
380 List<String> vals = op.getValues();
381 List<QualifiedName> fts = delete.getAffectedFeatureTypes();
382 for ( int i = 0; i < fts.size(); i++ ) {
383 String qn = fts.get( i ).getFormattedString();
384 if ( !vals.contains( qn ) ) {
385 String s = Messages.getMessage( "OWSPROXY_NOT_ALLOWED_FEATURETYPE", "delete", qn );
386 throw new InvalidParameterValueException( s );
387 }
388 }
389 }
390 }
391
392 /**
393 *
394 * @param condition
395 * @param update
396 * @throws InvalidParameterValueException
397 */
398 private void validateOperation( Condition condition, Update update )
399 throws InvalidParameterValueException {
400
401 OperationParameter op = condition.getOperationParameter( TYPENAME );
402
403 // version is valid because no restrictions are made
404 if ( op.isAny() ) {
405 return;
406 }
407
408 if ( op.isUserCoupled() ) {
409 userCoupled = true;
410 } else {
411 List<String> vals = op.getValues();
412 List<QualifiedName> fts = update.getAffectedFeatureTypes();
413 for ( int i = 0; i < fts.size(); i++ ) {
414 String qn = fts.get( i ).getFormattedString();
415 if ( !vals.contains( qn ) ) {
416 String s = Messages.getMessage( "OWSPROXY_NOT_ALLOWED_FEATURETYPE", "update", qn );
417 throw new InvalidParameterValueException( s );
418 }
419 }
420 }
421 }
422
423 /**
424 * validates a Transcation.Delete request against the underlying users and rights management system
425 *
426 * @param delete
427 * @param user
428 * @throws InvalidParameterValueException
429 * @throws UnauthorizedException
430 */
431 private void validateAgainstRightsDB( Delete delete, User user )
432 throws InvalidParameterValueException, UnauthorizedException {
433 if ( user == null ) {
434 throw new UnauthorizedException( Messages.getMessage( "OWSPROXY_NO_ANONYMOUS_ACCESS" ) );
435 }
436
437 List<QualifiedName> fts = delete.getAffectedFeatureTypes();
438 for ( int i = 0; i < fts.size(); i++ ) {
439 String name = fts.get( i ).getLocalName();
440 String ns = fts.get( i ).getNamespace().toASCIIString();
441 String qn = StringTools.concat( 200, '{', ns, "}:", name );
442
443 // create a feature instance from the parameters of the GetFeature request
444 // to enable comparsion with a filter encoding expression stored in the
445 // assigned rights management system
446 List<FeatureProperty> fps = new ArrayList<FeatureProperty>();
447 QualifiedName tn = new QualifiedName( "typeName" );
448 FeatureProperty fp = FeatureFactory.createFeatureProperty( tn, qn );
449 fps.add( fp );
450 Feature feature = FeatureFactory.createFeature( "id", deleteFT, fps );
451
452 if ( securityConfig.getProxiedUrl() == null ) {
453 handleUserCoupledRules( user, // the user who posted the request
454 feature, // This is the Database feature
455 qn, // the Qualified name of the users Featurerequest
456 TYPE_FEATURETYPE, // a primary key in the db.
457 DELETE );// We're requesting a featuretype.
458 } else {
459 handleUserCoupledRules( user, // the user who posted the request
460 feature, // This is the Database feature
461 "[" + securityConfig.getProxiedUrl() + "]:" + qn, // the Qualified name of the
462 // users Featurerequest
463 TYPE_FEATURETYPE, // a primary key in the db.
464 DELETE );// We're requesting a featuretype.
465 }
466 }
467
468 }
469
470 /**
471 * validates a Transcation.Update request against the underlying users and rights management system
472 *
473 * @param update
474 * @param user
475 * @throws UnauthorizedException
476 * @throws InvalidParameterValueException
477 */
478 private void validateAgainstRightsDB( Update update, User user )
479 throws InvalidParameterValueException, UnauthorizedException {
480
481 if ( user == null ) {
482 throw new UnauthorizedException( Messages.getMessage( "OWSPROXY_NO_ANONYMOUS_ACCESS" ) );
483 }
484
485 List<QualifiedName> fts = update.getAffectedFeatureTypes();
486 for ( int i = 0; i < fts.size(); i++ ) {
487 String name = fts.get( i ).getLocalName();
488 String ns = fts.get( i ).getNamespace().toASCIIString();
489 String qn = StringTools.concat( 200, '{', ns, "}:", name );
490
491 // create a feature instance from the parameters of the GetFeature request
492 // to enable comparsion with a filter encoding expression stored in the
493 // assigned rights management system
494 List<FeatureProperty> fps = new ArrayList<FeatureProperty>();
495 QualifiedName tn = new QualifiedName( "typeName" );
496 FeatureProperty fp = FeatureFactory.createFeatureProperty( tn, qn );
497 fps.add( fp );
498 Feature feature = FeatureFactory.createFeature( "id", updateFT, fps );
499
500 if ( securityConfig.getProxiedUrl() == null ) {
501 handleUserCoupledRules( user, // the user who posted the request
502 feature, // This is the Database feature
503 qn, // the Qualified name of the users Featurerequest
504 TYPE_FEATURETYPE, // a primary key in the db.
505 UPDATE );// We're requesting a featuretype.
506 } else {
507 handleUserCoupledRules( user, // the user who posted the request
508 feature, // This is the Database feature
509 "[" + securityConfig.getProxiedUrl() + "]:" + qn, // the Qualified name of the
510 // users Featurerequest
511 TYPE_FEATURETYPE, // a primary key in the db.
512 UPDATE );// We're requesting a featuretype.
513 }
514 }
515 }
516
517 /**
518 * validates the passed insert operation against the deegree user/rights management system
519 *
520 * @param insert
521 * @param user
522 * @throws InvalidParameterValueException
523 * @throws UnauthorizedException
524 */
525 private void validateAgainstRightsDB( Insert insert, User user )
526 throws InvalidParameterValueException, UnauthorizedException {
527
528 if ( user == null ) {
529 throw new UnauthorizedException( Messages.getMessage( "OWSPROXY_NO_ANONYMOUS_ACCESS" ) );
530 }
531
532 List<QualifiedName> fts = insert.getAffectedFeatureTypes();
533 for ( int i = 0; i < fts.size(); i++ ) {
534 String name = fts.get( i ).getLocalName();
535 String ns = fts.get( i ).getNamespace().toASCIIString();
536 String qn = StringTools.concat( 200, '{', ns, "}:", name );
537 // create a feature instance from the parameters of the GetRecords request
538 // to enable comparsion with a filter encoding expression stored in the
539 // assigned rights management system
540 List<FeatureProperty> fps = new ArrayList<FeatureProperty>();
541 QualifiedName tn = new QualifiedName( "typeName" );
542 FeatureProperty fp = FeatureFactory.createFeatureProperty( tn, qn );
543 fps.add( fp );
544 Feature feature = FeatureFactory.createFeature( "id", insertFT, fps );
545
546 if ( securityConfig.getProxiedUrl() == null ) {
547 handleUserCoupledRules( user, // the user who posted the request
548 feature, // This is the Database feature
549 qn, // the Qualified name of the users Featurerequest
550 TYPE_FEATURETYPE, // a primary key in the db.
551 INSERT );// We're requesting a featuretype.
552 } else {
553 handleUserCoupledRules( user, // the user who posted the request
554 feature, // This is the Database feature
555 "[" + securityConfig.getProxiedUrl() + "]:" + qn, // the Qualified name of the
556 // users Featurerequest
557 TYPE_FEATURETYPE, // a primary key in the db.
558 INSERT );// We're requesting a featuretype.
559 }
560 }
561
562 }
563
564 /**
565 * creates a feature type that matches the parameters of a Insert operation
566 *
567 * @return created <tt>FeatureType</tt>
568 */
569 private static FeatureType createInsertFeatureType() {
570 PropertyType[] ftps = new PropertyType[1];
571 ftps[0] = FeatureFactory.createSimplePropertyType( new QualifiedName( "typeName" ), Types.VARCHAR, false );
572
573 return FeatureFactory.createFeatureType( "WFS_Insert", false, ftps );
574 }
575
576 /**
577 * creates a feature type that matches the parameters of a Update operation
578 *
579 * @return created <tt>FeatureType</tt>
580 */
581 private static FeatureType createUpdateFeatureType() {
582 PropertyType[] ftps = new PropertyType[2];
583 ftps[0] = FeatureFactory.createSimplePropertyType( new QualifiedName( "typeName" ), Types.VARCHAR, false );
584
585 return FeatureFactory.createFeatureType( "WFS_Update", false, ftps );
586 }
587
588 /**
589 * creates a feature type that matches the parameters of a Delete operation
590 *
591 * @return created <tt>FeatureType</tt>
592 */
593 private static FeatureType createDeleteFeatureType() {
594 PropertyType[] ftps = new PropertyType[1];
595 ftps[0] = FeatureFactory.createSimplePropertyType( new QualifiedName( "typeName" ), Types.VARCHAR, false );
596
597 return FeatureFactory.createFeatureType( "WFS_Delete", false, ftps );
598 }
599
600 }