Finished AccessController

Chris Schmidt · Chris Schmidt · commit 13a38107fbb0 · 2013-11-16T14:27:45.000-07:00
diff --git a/src/main/java/org/owasp/esapi/core/accesscontrol/AccessControlContext.java b/src/main/java/org/owasp/esapi/core/accesscontrol/AccessControlContext.java
@@ -0,0 +1,30 @@
+package org.owasp.esapi.core.accesscontrol;
+
+/**
+ * The AccessControlContext is a marker interface that is passed in to {@link AccessController#isAuthorized(ManagedResource, AccessControlContext)}
+ * and {@link AccessController#assertAuthorized(ManagedResource, AccessControlContext)} methods to provide the context of
+ * an access control check to the {@link AccessController} implementation. Adding context to an access control request
+ * allows the implementation to perform more complex access control decisions.
+ * <p/>
+ * For data level access control this can be something as simple as a object containing the requested function on the
+ * provided data such as:
+ * <pre>
+ * public class ManagedDataOperation implements AccessControlContext {
+ *    public static enum Permission { CREATE, READ, UPDATE, DELETE }
+ *
+ *    private Permission permission;
+ *
+ *    public ManagedDataOperation(Permission permission) {
+ *        this.permission = permission;
+ *    }
+ *
+ *    public Permission getPermission() {
+ *        return this.permission;
+ *    }
+ * }
+ * </pre>
+ * For more complex access control decisions this could contain any number of variables that are used to make an
+ * access control decision.
+ */
+public interface AccessControlContext {
+}
diff --git a/src/main/java/org/owasp/esapi/core/accesscontrol/AccessController.java b/src/main/java/org/owasp/esapi/core/accesscontrol/AccessController.java
@@ -16,7 +16,7 @@
  *
  * <pre>
  * try {
- *     ESAPI.accessController().assertAuthorized("businessFunction", runtimeData);
+ *     ESAPI.accessController().assertAuthorized(new ManagedFunction("adminFunction"), runtimeData);
  *     // execute BUSINESS_FUNCTION
  * } catch (AccessControlException ace) {
  * ... attack in progress
@@ -30,12 +30,22 @@
  * repeated in both the business logic and data layers.
  *
  * <pre>
- * &lt;% if ( ESAPI.accessController().isAuthorized( "businessFunction", runtimeData ) ) { %&gt;
+ * &lt;% if ( ESAPI.accessController().isAuthorized(new ManagedFunction("adminFunction"), runtimeData ) ) { %&gt;
  * &lt;a href=&quot;/doAdminFunction&quot;&gt;ADMIN&lt;/a&gt;
  * &lt;% } else { %&gt;
  * &lt;a href=&quot;/doNormalFunction&quot;&gt;NORMAL&lt;/a&gt;
  * &lt;% } %&gt;
  * </pre>
+ * <p/>
+ * You can also perform access control checks directly on data resources if implemented.
+ * <pre>
+ * %&lt; if ( accessController.isAuthorized(userRecord, new ManagedResourceContext( Permissions.EDIT ) ) ) { %&gt;
+ * &lt;a href=&quot;/editUserRecord?userRecord=%&lt;= userRecord.getResourceIdentifier() %&gt;&quot;&gt;Edit&lt;/a&gt;
+ * %&lt; } %&gt;
+ * </pre>
+ * <i>Note: The above example assumes that the resource identifier is a non-direct access to the resource in question.
+ * For more information on Direct Object References see <a href="https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References">A4 - Insecure Direct Object References</a>
+ * from the OWASP Top-Ten</i>
  *
  * @author Mike H. Fauzy (mike.fauzy@aspectsecurity.com) ESAPI v1.6-
  * @author Jeff Williams (jeff.williams@aspectsecurity.com) ESAPI v0-1.5
@@ -51,11 +61,13 @@ public interface AccessController {
      * Typically, assertAuthorized should be used to enforce permissions on the
      * server.
      *
-     * @param key
-     * @param runtimeParameter
+     * @param resource The resource that is being accessed.
+     * @param context The runtime context of the request
+     * @param <T> Implementation type of {@link ManagedResource}
+     * @param <R> Implementation type of {@link AccessControlContext}
      * @return
      */
-    public boolean isAuthorized(Object key, Object runtimeParameter);
+    public <T extends ManagedResource,R extends AccessControlContext> boolean isAuthorized(T resource, R context);
 
     /**
      * Developers should call {@code assertAuthorized} to enforce privileged access to
@@ -64,9 +76,12 @@ public interface AccessController {
      * be integrated into the application framework so that it is called
      * automatically.
      *
-     * @param key
-     * @param runtimeParameter
+     * @param resource The resource that is being accessed
+     * @param context The runtime context of the request
+     * @param <T> Implementation type of {@link ManagedResource}
+     * @param <R> Implementation type of {@link AccessControlContext}
+     * @throws AccessControlException if access is denied
      */
-    public void assertAuthorized(Object key, Object runtimeParameter) throws AccessControlException;
+    public <T extends ManagedResource,R extends AccessControlContext> void assertAuthorized(T resource, R context) throws AccessControlException;
 
 }
diff --git a/src/main/java/org/owasp/esapi/core/accesscontrol/ManagedResource.java b/src/main/java/org/owasp/esapi/core/accesscontrol/ManagedResource.java
@@ -0,0 +1,10 @@
+package org.owasp.esapi.core.accesscontrol;
+
+import java.io.Serializable;
+
+/**
+ *
+ */
+public interface ManagedResource<T extends Serializable> {
+    T getResourceIdentifier();
+}
diff --git a/src/main/java/org/owasp/esapi/core/authentication/Authentication.java b/src/main/java/org/owasp/esapi/core/authentication/Authentication.java
@@ -0,0 +1,20 @@
+package org.owasp.esapi.core.authentication;
+
+import java.io.Serializable;
+import java.security.Principal;
+
+/**
+ * Authentication represents the Authentication Context for the current request. It is meant to serve as an abstraction
+ * layer between the authentication mechanism and the application. If the request has not been authenticated yet, this
+ * interface will represent the credentials for the {@link Authenticator} to use for authenticating identity. If the
+ * request has already been authenticated, this interface will represent the authenticated context providing a bridge
+ * between the authentication mechanism and the {@link User} representation for the application.
+ *
+ * @param <CT>  The type for the implmentation of {@link Credential}
+ * @param <PT>  The type for the implemenation of the {@link Principal}
+ */
+public interface Authentication<CT extends Credential, PT extends Serializable> extends Principal {
+    <T extends User> T getUser();
+    CT getCredential();
+    PT getPrincipal();
+}
diff --git a/src/main/java/org/owasp/esapi/core/authentication/Authenticator.java b/src/main/java/org/owasp/esapi/core/authentication/Authenticator.java
@@ -0,0 +1,18 @@
+package org.owasp.esapi.core.authentication;
+
+/**
+ * The Authenticator interface defines a set of methods for generating and
+ * handling account credentials and session identifiers. The goal of this
+ * interface is to encourage developers to protect credentials from disclosure
+ * to the maximum extent possible.
+ * <P>
+ * The goal is to minimize the responsibility of the developer for
+ * authentication.
+ *
+ * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a href="http://www.aspectsecurity.com">Aspect Security</a>
+ * @author Chris Schmidt (chris.schmidt@contrastsecurity.com)
+ * @since June 1, 2007
+ */
+public interface Authenticator {
+
+}
diff --git a/src/main/java/org/owasp/esapi/core/authentication/Credential.java b/src/main/java/org/owasp/esapi/core/authentication/Credential.java
@@ -0,0 +1,4 @@
+package org.owasp.esapi.core.authentication;
+
+public interface Credential {
+}
diff --git a/src/main/java/org/owasp/esapi/core/authentication/User.java b/src/main/java/org/owasp/esapi/core/authentication/User.java
@@ -0,0 +1,18 @@
+package org.owasp.esapi.core.authentication;
+
+import java.io.Serializable;
+import java.util.Date;
+
+public interface User extends Serializable {
+    boolean isEnabled();
+    Date getExpiration();
+
+    // Failed Login Information
+    int getFailedLoginCount();
+    Date getLastFailedLoginDate();
+    String getLastFailedLoginHost();
+
+    // Successful Login Information
+    Date getLastLoginDate();
+    String getLastLoginHost();
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +package org.owasp.esapi.core.authentication;
++
 +public interface Credential {
 +}