/************************************************************************* *                                                                       * *  EJBCA: The OpenSource Certificate Authority                          * *                                                                       * *  This software is free software; you can redistribute it and/or       * *  modify it under the terms of the GNU Lesser General Public           * *  License as published by the Free Software Foundation; either         * *  version 2.1 of the License, or any later version.                    * *                                                                       * *  See terms of license at gnu.org.                                     * *                                                                       * *************************************************************************/ package se.anatom.ejbca.authorization;import java.security.cert.X509Certificate;import java.sql.Connection;import java.sql.PreparedStatement;import java.sql.ResultSet;import java.sql.SQLException;import java.util.ArrayList;import java.util.Collection;import java.util.Date;import java.util.HashSet;import java.util.Iterator;import java.util.Random;import javax.ejb.CreateException;import javax.ejb.EJBException;import javax.ejb.FinderException;import javax.naming.NamingException;import javax.sql.DataSource;import se.anatom.ejbca.BaseSessionBean;import se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocal;import se.anatom.ejbca.ca.caadmin.ICAAdminSessionLocalHome;import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocal;import se.anatom.ejbca.ca.store.ICertificateStoreSessionLocalHome;import se.anatom.ejbca.log.Admin;import se.anatom.ejbca.log.ILogSessionLocal;import se.anatom.ejbca.log.ILogSessionLocalHome;import se.anatom.ejbca.log.LogEntry;import se.anatom.ejbca.ra.raadmin.IRaAdminSessionLocal;import se.anatom.ejbca.ra.raadmin.IRaAdminSessionLocalHome;/** * Stores data used by web server clients. * Uses JNDI name for datasource as defined in env 'Datasource' in ejb-jar.xml. * * @version $Id: LocalAuthorizationSessionBean.java,v 1.9 2004/05/10 04:36:32 herrvendil Exp $ */public class LocalAuthorizationSessionBean extends BaseSessionBean  {    /** Var holding JNDI name of datasource */    private String dataSource = "";    /** The home interface of  AdminGroupData entity bean */    private AdminGroupDataLocalHome admingrouphome = null;    /** The home interface of AuthorizationTreeUpdateData entity bean */    private AuthorizationTreeUpdateDataLocalHome authorizationtreeupdatehome = null;        /** help variable used to check that authorization trees is updated. */    private int authorizationtreeupdate = -1;        /** help variable used to control that update isn't performed to often. */        private long lastupdatetime = -1;        /** The local interface of  log session bean */    private ILogSessionLocal logsession = null;    /** The local interface of  raadmin session bean */    private IRaAdminSessionLocal raadminsession = null;     /** The local interface of  ca admim session bean */    private ICAAdminSessionLocal caadminsession = null;            /** The local interface of certificate store session bean */        private ICertificateStoreSessionLocal certificatestoresession = null;        private Authorizer authorizer = null;    private String[] customaccessrules = null;        private static final String DEFAULTGROUPNAME   = "DEFAULT";    private static final String PUBLICWEBGROUPNAME = "Public Web Users";        /**     * Default create for SessionBean without any creation Arguments.     * @throws CreateException if bean instance can't be created     */    public void ejbCreate() throws CreateException {        debug(">ejbCreate()");        try{          dataSource = (String)lookup("java:comp/env/DataSource", java.lang.String.class);          debug("DataSource=" + dataSource);          admingrouphome = (AdminGroupDataLocalHome)lookup("java:comp/env/ejb/AdminGroupDataLocal");          authorizationtreeupdatehome = (AuthorizationTreeUpdateDataLocalHome)lookup("java:comp/env/ejb/AuthorizationTreeUpdateDataLocal");          customaccessrules =   ((String) lookup("java:comp/env/CustomAvailableAccessRules", java.lang.String.class)).split(";");        }catch(Exception e){           throw new CreateException(e.getMessage());        }        try{                 authorizer = new Authorizer(getAdminGroups(new Admin(Admin.TYPE_INTERNALUSER)), admingrouphome,                                       getLogSession(), getCertificateStoreSession(), getRaAdminSession(), getCAAdminSession(), new Admin(Admin.TYPE_INTERNALUSER),LogEntry.MODULE_AUTHORIZATION);        }catch(Exception e){           throw new EJBException(e);        }                debug("<ejbCreate()");    }    /** Gets connection to Datasource used for manual SQL searches     * @return Connection     */    private Connection getConnection() throws SQLException, NamingException {        DataSource ds = (DataSource)getInitialContext().lookup(dataSource);        return ds.getConnection();    } //getConnection            /** Gets connection to log session bean     * @return Connection     */    private ILogSessionLocal getLogSession() {        if(logsession == null){          try{            ILogSessionLocalHome logsessionhome = (ILogSessionLocalHome) lookup("java:comp/env/ejb/LogSessionLocal",ILogSessionLocalHome.class);            logsession = logsessionhome.create();          }catch(Exception e){             throw new EJBException(e);          }        }        return logsession;    } //getLogSession        /** Gets connection to certificate store session bean     * @return Connection     */    private IRaAdminSessionLocal getRaAdminSession() {        if(raadminsession == null){          try{            IRaAdminSessionLocalHome raadminsessionhome = (IRaAdminSessionLocalHome) lookup("java:comp/env/ejb/RaAdminSessionLocal",IRaAdminSessionLocalHome.class);            raadminsession = raadminsessionhome.create();          }catch(Exception e){             throw new EJBException(e);          }        }        return raadminsession;    } //getRaAdminSession    /** Gets connection to certificate store session bean     * @return ICertificateStoreSessionLocal     */    private ICertificateStoreSessionLocal getCertificateStoreSession() {        if(certificatestoresession == null){          try{            ICertificateStoreSessionLocalHome certificatestoresessionhome = (ICertificateStoreSessionLocalHome) lookup("java:comp/env/ejb/CertificateStoreSessionLocal",ICertificateStoreSessionLocalHome.class);            certificatestoresession = certificatestoresessionhome.create();          }catch(Exception e){             throw new EJBException(e);          }        }        return certificatestoresession;    } //getCertificateStoreSession        /** Gets connection to ca admin session bean     * @return ICAAdminSessionLocal     */    private ICAAdminSessionLocal getCAAdminSession() {        if(caadminsession == null){          try{            ICAAdminSessionLocalHome caadminsessionhome = (ICAAdminSessionLocalHome) lookup("java:comp/env/ejb/CAAdminSessionLocal",ICAAdminSessionLocalHome.class);            caadminsession = caadminsessionhome.create();          }catch(Exception e){             throw new EJBException(e);          }        }        return caadminsession;    } //getCAAdminSession                // Methods used with AdminGroupData Entity Beans    /**     * Method to initialize authorization bean, must be called directly after creation of bean. Should only be called once.     */    public void initialize(Admin admin, int caid) throws AdminGroupExistsException{         // Check if admingroup table is empty, if so insert default superuser         // and create "special edit accessrules count group"       try{         Collection result = admingrouphome.findAll();         if(result.size()==0){          // Authorization table is empty, fill with default and special admingroups.           String admingroupname = "Temporary Super Administrator Group";              addAdminGroup(admin, admingroupname, caid);            ArrayList adminentities = new ArrayList();           adminentities.add(new AdminEntity(AdminEntity.WITH_COMMONNAME,AdminEntity.TYPE_EQUALCASEINS,"SuperAdmin",caid));                                 addAdminEntities(admin, admingroupname, caid, adminentities);           ArrayList accessrules = new ArrayList();           accessrules.add(new AccessRule("/super_administrator",AccessRule.RULE_ACCEPT,false));                      addAccessRules(admin, admingroupname, caid, accessrules);                    }       }catch(FinderException e){}         // Add Special Admin Group         try{            admingrouphome.findByGroupNameAndCAId(DEFAULTGROUPNAME, ILogSessionLocal.INTERNALCAID);            }catch(FinderException e){           // Add Default Group           try{             AdminGroupDataLocal agdl = admingrouphome.create(new Integer(findFreeAdminGroupId()), DEFAULTGROUPNAME,  ILogSessionLocal.INTERNALCAID);                   ArrayList adminentities = new ArrayList();           adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_BATCHCOMMANDLINEADMIN));           adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_CACOMMANDLINEADMIN));              adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_RACOMMANDLINEADMIN));             adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_INTERNALUSER));           agdl.addAdminEntities(adminentities);                    ArrayList accessrules = new ArrayList();           accessrules.add(new AccessRule("/administrator",AccessRule.RULE_ACCEPT,true));           accessrules.add(new AccessRule("/super_administrator",AccessRule.RULE_ACCEPT,false));           accessrules.add(new AccessRule("/ca_functionality",AccessRule.RULE_ACCEPT,true));           accessrules.add(new AccessRule("/ra_functionality",AccessRule.RULE_ACCEPT,true));           accessrules.add(new AccessRule("/log_functionality",AccessRule.RULE_ACCEPT,true));           accessrules.add(new AccessRule("/system_functionality",AccessRule.RULE_ACCEPT,true));           accessrules.add(new AccessRule("/hardtoken_functionality",AccessRule.RULE_ACCEPT,true));                      accessrules.add(new AccessRule("/ca",AccessRule.RULE_ACCEPT,true));            accessrules.add(new AccessRule("/endentityprofilesrules",AccessRule.RULE_ACCEPT,true));                      agdl.addAccessRules(accessrules);                      signalForAuthorizationTreeUpdate();         }catch(CreateException ce){}       }	   // Add Public Web Group       try{          admingrouphome.findByGroupNameAndCAId(PUBLICWEBGROUPNAME, caid);          this.removeAdminGroup(admin, PUBLICWEBGROUPNAME,  caid);       }catch(FinderException e){}        	   	   try{		  admingrouphome.findByGroupNameAndCAId(PUBLICWEBGROUPNAME, caid);   	   }catch(FinderException e){	   	   	 	     try{           	   	 		   AdminGroupDataLocal agdl = admingrouphome.create(new Integer(findFreeAdminGroupId()),PUBLICWEBGROUPNAME,  caid);        		   ArrayList adminentities = new ArrayList();		   adminentities.add(new AdminEntity(AdminEntity.SPECIALADMIN_PUBLICWEBUSER));		 		   agdl.addAdminEntities(adminentities);         		   ArrayList accessrules = new ArrayList();		   accessrules.add(new AccessRule("/public_web_user",AccessRule.RULE_ACCEPT,false));		 		   accessrules.add(new AccessRule("/ca_functionality/basic_functions",AccessRule.RULE_ACCEPT,false));		   accessrules.add(new AccessRule("/ca_functionality/view_certificate",AccessRule.RULE_ACCEPT,false));		   accessrules.add(new AccessRule("/ca_functionality/create_certificate",AccessRule.RULE_ACCEPT,false));		   accessrules.add(new AccessRule("/ca_functionality/store_certificate",AccessRule.RULE_ACCEPT,false));		   accessrules.add(new AccessRule("/ra_functionality/view_end_entity",AccessRule.RULE_ACCEPT,false));			 		   accessrules.add(new AccessRule("/ca",AccessRule.RULE_ACCEPT,true)); 		   accessrules.add(new AccessRule("/endentityprofilesrules",AccessRule.RULE_ACCEPT,true)); 		                                                       		   agdl.addAccessRules(accessrules);           		  signalForAuthorizationTreeUpdate();	      }catch(CreateException ce){}	       	   }      }     /**     * Method to check if a user is authorized to a certain resource.     *     * @param admin the administrator about to be authorized, see se.anatom.ejbca.log.Admin class.     * @param resource the resource to check authorization for.     */    public boolean isAuthorized(Admin admin, String resource) throws  AuthorizationDeniedException{        if(updateNeccessary())          updateAuthorizationTree(admin);        return authorizer.isAuthorized(admin, resource);    }     /**     * Method to check if a user is authorized to a certain resource without performing any logging.     *     * @param admin the administrator about to be authorized, see se.anatom.ejbca.log.Admin class.     * @param resource the resource to check authorization for.      */    public boolean isAuthorizedNoLog(Admin admin, String resource) throws AuthorizationDeniedException{