/************************************************************************* *                                                                       * *  EJBCA: The OpenSource Certificate Authority                          * *                                                                       * *  This software is free software; you can redistribute it and/or       * *  modify it under the terms of the GNU Lesser General Public           * *  License as published by the Free Software Foundation; either         * *  version 2.1 of the License, or any later version.                    * *                                                                       * *  See terms of license at gnu.org.                                     * *                                                                       * *************************************************************************/ package se.anatom.ejbca.authorization;import java.util.ArrayList;import java.util.Collection;import java.util.HashMap;import java.util.HashSet;import java.util.Iterator;/** * A class used as a help class for displaying and configuring basic access rules * * @author  herrvendil  * @version $Id: BasicAccessRuleSetEncoder.java,v 1.5 2004/04/16 07:38:57 anatom Exp $ */public class BasicAccessRuleSetEncoder implements java.io.Serializable {	private boolean forceadvanced = false;			private int currentrole = BasicAccessRuleSet.ROLE_NONE;	private Collection availableroles = new ArrayList();	private HashSet currentcas = new HashSet();	private HashSet availablecas = new HashSet();	private HashSet currentendentityrules = new HashSet();	private ArrayList availableendentityrules = new ArrayList();	private HashSet currentendentityprofiles = new HashSet();	private HashSet availableendentityprofiles = new HashSet();	private HashSet currentotherrules = new HashSet();	private ArrayList availableotherrules = new ArrayList();        /**     * Tries to encode a advanced ruleset into basic ones.      * Sets the forceadvanced flag if encoding isn't possible.     */    public BasicAccessRuleSetEncoder(Collection currentaccessrules, Collection availableaccessrules, boolean usehardtokens, boolean usekeyrecovery){    	 HashSet aar = new HashSet();    	 aar.addAll(availableaccessrules);    	 Iterator iter = currentaccessrules.iterator();    	 while(iter.hasNext()) aar.add(((AccessRule) iter.next()).getAccessRule());    	     	 initAvailableRoles(aar);    	     	 initAvailableRules(usehardtokens, usekeyrecovery, aar);    	     	     	 initCurrentRole(currentaccessrules);    	     	 initCurrentRules(currentaccessrules);    }                /**     * Returns true if basic configuration of access rules isn't possible.     */    public boolean getForceAdvanced(){    	return forceadvanced;    }    /**     * Returns the current role of the administrator group.     * One of the BasicRuleSet ROLE_constants     *      */        public int getCurrentRole(){    	return currentrole;    }    /**     * Returns a Collection of basic roles the administrator is authorized to configure.     * @return a Collection of BasicRuleSet.ROLE_constants (Integer)     *      */       public Collection getAvailableRoles(){    	return availableroles;    }        /**     * @return a Collection of CAids the administratorgroup is authorized to or BasicAccessRuleSet.CA_ALL for all cas.     */           public HashSet getCurrentCAs(){    	return currentcas;    }    /**     * @return a Collection of available CAids or BasicAccessRuleSet.CA_ALL for all cas.     */              public Collection getAvailableCAs(){    	return availablecas;    }    /**     * @return a Collection of EndEntityRules the administratorgroup is authorized to, BasicAccessRuleSet.ENDENTITY_ constants (Integer).     */           	public HashSet getCurrentEndEntityRules(){		return currentendentityrules;			}		/**	 * @return a Collection of available EndEntityRules,  BasicAccessRuleSet.ENDENTITY_ constants (Integer)	 */ 		public Collection getAvailableEndEntityRules(){		return availableendentityrules;			}		/**	 * @return a Collection of authorized EndEntityProfileIds or BasicAccessRuleSet.ENDENTITYPROFILE_ALL for all	 */          	public HashSet getCurrentEndEntityProfiles(){		return currentendentityprofiles;	}	/**	 * @return a Collection of av	ailable EndEntityProfileIds or BasicAccessRuleSet.ENDENTITYPROFILE_ALL for all and entity profiles.	 */ 			public Collection getAvailableEndEntityProfiles(){	   return availableendentityprofiles;		}		/**	 * @return a Collection of auhtorized other rules. (Integer).	 */          	public HashSet getCurrentOtherRules(){		return currentotherrules;			}		/**	 * @return a Collection of available other rules (Integer).	 */ 			public Collection getAvailableOtherRules(){	   return availableotherrules;		}    	private void initAvailableRoles(HashSet availableruleset){				availableroles.add(new Integer(BasicAccessRuleSet.ROLE_NONE));        availableroles.add(new Integer(BasicAccessRuleSet.ROLE_CAADMINISTRATOR));                availableroles.add(new Integer(BasicAccessRuleSet.ROLE_RAADMINISTRATOR));                availableroles.add(new Integer(BasicAccessRuleSet.ROLE_SUPERVISOR));                		// Check if administrator can create superadministrators		if(availableruleset.contains(AvailableAccessRules.ROLE_SUPERADMINISTRATOR)){									availableroles.add(new Integer(BasicAccessRuleSet.ROLE_SUPERADMINISTRATOR));		}		}		private void initCurrentRole(Collection currentaccessrules){				// Check if administrator is superadministrator				if(currentaccessrules.size() >0){          if(isSuperAdministrator(currentaccessrules)){                	  this.currentrole = BasicAccessRuleSet.ROLE_SUPERADMINISTRATOR;          }else		    // Check if administrator is caadministrator            if(isCAAdministrator(currentaccessrules)){          	              	    this.currentrole = BasicAccessRuleSet.ROLE_CAADMINISTRATOR;            }else        		    // Check if administrator is raadministrator            if(isRAAdministrator(currentaccessrules)){          	            	  this.currentrole = BasicAccessRuleSet.ROLE_RAADMINISTRATOR;            }else		    // Check if administrator is supervisor            if(isSupervisor(currentaccessrules)){          	             	    this.currentrole = BasicAccessRuleSet.ROLE_SUPERVISOR;          	  	             }else          	    this.forceadvanced = true;		}else{			this.currentrole = BasicAccessRuleSet.ROLE_NONE;		}	        	}			private boolean isSuperAdministrator(Collection currentaccessrules){				boolean returnval = false;		if(currentaccessrules.size() ==1){			AccessRule ar = (AccessRule) currentaccessrules.iterator().next();			if(ar.getAccessRule().equals(AvailableAccessRules.ROLE_SUPERADMINISTRATOR) && 					                                   ar.getRule() == AccessRule.RULE_ACCEPT &&													   !ar.isRecursive())				returnval = true;		}				return returnval;	}		private boolean isCAAdministrator(Collection currentaccessrules){	   boolean returnval = false;	 	   	   	   	   if(currentaccessrules.size() >= 7){	     HashSet requiredacceptrecrules = new HashSet();	     requiredacceptrecrules.add(AvailableAccessRules.REGULAR_CAFUNCTIONALTY);	     requiredacceptrecrules.add(AvailableAccessRules.REGULAR_LOGFUNCTIONALITY);	     requiredacceptrecrules.add(AvailableAccessRules.REGULAR_RAFUNCTIONALITY);	     requiredacceptrecrules.add(AvailableAccessRules.REGULAR_SYSTEMFUNCTIONALITY);	     	     requiredacceptrecrules.add(AvailableAccessRules.ENDENTITYPROFILEBASE);	     HashSet requiredacceptnonrecrules = new HashSet();	     requiredacceptnonrecrules.add(AvailableAccessRules.ROLE_ADMINISTRATOR);	     requiredacceptnonrecrules.add(AvailableAccessRules.HARDTOKEN_EDITHARDTOKENISSUERS);	     requiredacceptnonrecrules.add(AvailableAccessRules.HARDTOKEN_EDITHARDTOKENPROFILES);	     	     Iterator iter = currentaccessrules.iterator();	     boolean illegal = false;	     while(iter.hasNext()){	     	AccessRule ar = (AccessRule) iter.next();	     	if(!isAllowedCAAdministratorRule(ar))	     	  if(ar.getRule() == AccessRule.RULE_ACCEPT && ar.isRecursive() && requiredacceptrecrules.contains(ar.getAccessRule()))	     	  		requiredacceptrecrules.remove(ar.getAccessRule());	     	  else			     	  	if(ar.getRule() == AccessRule.RULE_ACCEPT && !ar.isRecursive() && requiredacceptnonrecrules.contains(ar.getAccessRule()))	     	  		requiredacceptnonrecrules.remove(ar.getAccessRule());	     	    else{	     	    	illegal = true;					break;	     	    }		     		     }	     if(!illegal && requiredacceptrecrules.size()==0 && requiredacceptnonrecrules.size() == 0)	     	returnval = true;	     	   }	   	   	   return returnval;	}			private boolean isAllowedCAAdministratorRule(AccessRule ar){		boolean returnval = false;				if(ar.getAccessRule().equals(AvailableAccessRules.CABASE) && ar.getRule() == AccessRule.RULE_ACCEPT && ar.isRecursive())			returnval = true;		if(ar.getAccessRule().startsWith(AvailableAccessRules.CAPREFIX) && ar.getRule() == AccessRule.RULE_ACCEPT && !ar.isRecursive())			returnval = true;					if(ar.getAccessRule().startsWith(AvailableAccessRules.HARDTOKEN_ISSUEHARDTOKENS) && ar.getRule() == AccessRule.RULE_ACCEPT)			returnval = true;				return returnval;	}		private boolean isRAAdministrator(Collection currentaccessrules){		boolean returnval = false;				if(currentaccessrules.size() >= 4){			HashSet requiredaccepnonrecrules = new HashSet();			requiredaccepnonrecrules.add(AvailableAccessRules.ROLE_ADMINISTRATOR);			requiredaccepnonrecrules.add(AvailableAccessRules.REGULAR_CREATECERTIFICATE);			requiredaccepnonrecrules.add(AvailableAccessRules.REGULAR_STORECERTIFICATE);			requiredaccepnonrecrules.add(AvailableAccessRules.REGULAR_VIEWCERTIFICATE);									Iterator iter = currentaccessrules.iterator();			boolean illegal = false;			while(iter.hasNext()){				AccessRule ar = (AccessRule) iter.next();	     					if(!isAllowedRAAdministratorRule(ar))						if(ar.getRule() == AccessRule.RULE_ACCEPT && !ar.isRecursive() && requiredaccepnonrecrules.contains(ar.getAccessRule()))							requiredaccepnonrecrules.remove(ar.getAccessRule());						else{							illegal = true;							break;						}				}			if(!illegal && requiredaccepnonrecrules.size() == 0)				returnval = true;	     	    	     		}				return returnval;	}			private boolean isAllowedRAAdministratorRule(AccessRule ar){