Interface AccessPolicy

  • All Known Implementing Classes:
    AccessByCloudCertificate, AccessByCloudWhitelist, AccessByToken, AccessUnrestricted

    public interface AccessPolicy
    An access control policy.

    Implementations of this interface help determine whether or not specific Arrowhead systems attempting to consume certain provided services are authorized to do so or not.

    Access policies of this type are meant to be executed after a consuming system has been verified to have a certificate signed by a trusted issuer.

    • Method Summary

      All Methods Static Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      static AccessPolicy cloud()  
      SecurityDescriptor descriptor()  
      boolean isAuthorized​(SystemIdentityDescription consumer, ArSystem provider, ServiceDescription service, java.lang.String token)
      Determines whether or not the described system may consume the described service using the given access token, if any.
      static AccessPolicy token()
      Creates new access policy granting access to consumers with certificate chains sharing the same master certificate as the provider of the service being consumed, as well as being able to present a token from an authorization system that must be resolved at some later point.
      static AccessPolicy token​(java.security.PublicKey authorizationKey)
      Creates new access policy granting access to consumers with certificate chains sharing the same master certificate as the provider of the service being consumed, as well as being able to present a token from the authorization system represented by the given public key.
      static AccessPolicy unrestricted()  
      static AccessPolicy whitelist​(java.lang.String... whitelist)
      Creates new access policy only granting access to consumers from the same local cloud as the provider of the service being consumed, as well as being named in the given white-list.
      static AccessPolicy whitelist​(java.util.Collection<java.lang.String> whitelist)
      Creates new access policy only granting access to consumers originating from the same cloud as the provider of the service being consumed, as well as being named in the white-list.
    • Method Detail

      • isAuthorized

        boolean isAuthorized​(SystemIdentityDescription consumer,
                             ArSystem provider,
                             ServiceDescription service,
                             java.lang.String token)
                      throws AccessTokenException
        Determines whether or not the described system may consume the described service using the given access token, if any.
        Parameters:
        consumer - Description of system attempting to consume the service in question.
        provider - The system providing the consumed service.
        service - Description of service that the consumer attempts to consume.
        token - Access token presented by the consumer, if any.
        Returns:
        true only if consumer is permitted to consume service.
        Throws:
        AccessTokenException
      • cloud

        static AccessPolicy cloud()
        Returns:
        Access policy granting access to all consumers belong to the same local cloud as the provider of the service being consumed.
      • token

        static AccessPolicy token()
        Creates new access policy granting access to consumers with certificate chains sharing the same master certificate as the provider of the service being consumed, as well as being able to present a token from an authorization system that must be resolved at some later point.

        Authorization system resolution could be performed, for example, by a plugin.

        Note that access policy instances of this type can be shared by multiple services.

        Returns:
        New token access policy.
      • token

        static AccessPolicy token​(java.security.PublicKey authorizationKey)
        Creates new access policy granting access to consumers with certificate chains sharing the same master certificate as the provider of the service being consumed, as well as being able to present a token from the authorization system represented by the given public key.

        Note that access policy instances of this type can be shared by multiple services.

        Returns:
        New token access policy.
      • whitelist

        static AccessPolicy whitelist​(java.lang.String... whitelist)
        Creates new access policy only granting access to consumers from the same local cloud as the provider of the service being consumed, as well as being named in the given white-list.

        Note that the white-listed names are not full names. Only the system name parts, as described here.

        Parameters:
        whitelist - Names of systems to be allowed access.
        Returns:
        Created access policy.
      • whitelist

        static AccessPolicy whitelist​(java.util.Collection<java.lang.String> whitelist)
        Creates new access policy only granting access to consumers originating from the same cloud as the provider of the service being consumed, as well as being named in the white-list.

        Note that the white-listed names are not full names. Only the system name parts, as described here.

        Also note that access policy instances of this type can be shared by multiple services.

        Parameters:
        whitelist - Collection of names of systems to be allowed access.
        Returns:
        Created access policy.
      • unrestricted

        static AccessPolicy unrestricted()
        Returns:
        Access policy granting unrestricted access. Use of this access policy is only allowed for systems running in insecure mode.