org.glite.voms

Class VOMSValidator

java.lang.Object

org.glite.voms.VOMSValidator

public class VOMSValidator
extends Object

The main (top) class to use for extracting VOMS information from a certificate and/or certificate chain. The VOMS information can simply be parsed or validated. No validation is performed on the certificate chain -- that is assumed to already have happened.
The certificate chain is assumed to already be validated. It is also assumed to be sorted in TLS order, that is certificate issued by trust anchor first and client certificate last.
Example of use: this will validate any VOMS attributes in the certificate chain and check if any of the attributes grants the user the "admin" role in the group (VO) "MyVO".

 boolean isAdmin = new VOMSValidator(certChain).validate().getRoles("MyVO").contains("admin");
 

Author:

mulmo, Vincenzo Ciaschini

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
class	VOMSValidator.FQANTree Class to sort out the hierarchial properties of FQANs.

Field Summary

Fields

Modifier and Type	Field and Description
protected static ACValidator	DEFAULT_VALIDATOR
protected boolean	isParsed
protected boolean	isValidated
protected VOMSValidator.FQANTree	myFQANTree
protected X509Certificate[]	myValidatedChain
protected ACValidator	myValidator
protected Vector	myVomsAttributes
protected static ACTrustStore	theTrustStore
static String	VOMS_EXT_OID
protected static VOMSTrustStore	vomsStore

Constructor Summary

Constructors

Constructor and Description
VOMSValidator(X509Certificate validatedCert) Convenience constructor in the case where you have a single cert and not a chain.
VOMSValidator(X509Certificate[] validatedChain) Convenience constructor Same as VOMSValidator(validatedChain, null)
VOMSValidator(X509Certificate[] validatedChain, ACValidator acValidator) If validatedChain is null, a call to setValidatedChain() MUST be made before calling parse() or validate().

Method Summary

Methods

Modifier and Type	Method and Description
void	cleanup() Cleans up the object.
String[]	getAllFullyQualifiedAttributes() Returns a collection of all the FQANs in all the ACs found in the credential, in order.
List	getCapabilities(String subGroup) Deprecated. Capabilities are deprecated.
List	getRoles(String subGroup) Returns a list of all roles attributed to a (sub)group, by combining all VOMS attributes in a hiearchial fashion.
List	getVOMSAttributes() Returns a list of VOMS attributes, parsed and possibly validated.
boolean	isValid()
boolean	isValidated()
VOMSValidator	parse() Deprecated. use the parse(X509Certificate[]) instead
static Vector	parse(X509Certificate[] myValidatedChain) Parses the assumed-validated certificate chain (which may also include proxy certs) for any occurances of VOMS extensions containing attribute certificates issued to the end entity in the certificate chain.
VOMSValidator	setClientChain(X509Certificate[] validatedChain) Convenience method: enables you to reuse a VOMSValidator instance for another client chain, thus avoiding overhead in instantiating validators and trust stores and other potentially expensive operations.
static void	setTrustStore(ACTrustStore trustStore) Deprecated. use setTrustStore(VOMSTrustStore trustStore) instead.
static void	setTrustStore(VOMSTrustStore trustStore) Deprecated.
static void	shutdown() Performs shutdown of the default validator object, if allocated.
String	toString()
VOMSValidator	validate() Parses the assumed-validated certificate chain (which may also include proxy certs) for any occurances of VOMS extensions containing attribute certificates issued to the end entity in the certificate chain.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

VOMS_EXT_OID

public static final String VOMS_EXT_OID

See Also:

Constant Field Values

theTrustStore

protected static ACTrustStore theTrustStore

myValidator

protected ACValidator myValidator

myValidatedChain

protected X509Certificate[] myValidatedChain

myVomsAttributes

protected Vector myVomsAttributes

isParsed

protected boolean isParsed

isValidated

protected boolean isValidated

myFQANTree

protected VOMSValidator.FQANTree myFQANTree

vomsStore

protected static VOMSTrustStore vomsStore

DEFAULT_VALIDATOR

protected static volatile ACValidator DEFAULT_VALIDATOR

Constructor Detail

VOMSValidator

public VOMSValidator(X509Certificate validatedCert)

Convenience constructor in the case where you have a single cert and not a chain.

Parameters:

validatedCert -

See Also:

VOMSValidator(X509Certificate[])

VOMSValidator

public VOMSValidator(X509Certificate[] validatedChain)

Convenience constructor
Same as VOMSValidator(validatedChain, null)

Parameters:

validatedChain -

VOMSValidator

public VOMSValidator(X509Certificate[] validatedChain,
             ACValidator acValidator)

If validatedChain is null, a call to setValidatedChain() MUST be made before calling parse() or validate().

Parameters:

validatedChain - The (full), validated certificate chain

acValidator - The AC validator implementation to use (null is default with a BasicVOMSTrustStore)

See Also:

ACValidator, BasicVOMSTrustStore

Method Detail

setTrustStore

public static void setTrustStore(ACTrustStore trustStore)

Deprecated. use setTrustStore(VOMSTrustStore trustStore) instead.

Sets the ACTrustStore instance to use with the default ACValidator. Default is BasicVOMSTrustStore

Parameters:

trustStore -

See Also:

setTrustStore(VOMSTrustStore trustStore), BasicVOMSTrustStore

setTrustStore

public static void setTrustStore(VOMSTrustStore trustStore)

Deprecated.

Sets the trustStore to use with the default ACValidator.

Parameters:

trustStore - the trustStore.

See Also:

VOMSTrustStore

cleanup

public void cleanup()

Cleans up the object.

shutdown

public static void shutdown()

Performs shutdown of the default validator object, if allocated.

setClientChain

public VOMSValidator setClientChain(X509Certificate[] validatedChain)

Convenience method: enables you to reuse a VOMSValidator instance for another client chain, thus avoiding overhead in instantiating validators and trust stores and other potentially expensive operations.
This method returns the object itself, to allow for chaining of commands:
vomsValidator.setValidatedChain(chain).validate().getVOMSAttributes();

Parameters:

validatedChain - The new validated certificate chain to inspect

Returns:

the object itself

parse

public static Vector parse(X509Certificate[] myValidatedChain)

Parses the assumed-validated certificate chain (which may also include proxy certs) for any occurances of VOMS extensions containing attribute certificates issued to the end entity in the certificate chain.
No validation of timestamps and/or signatures are performed by this method.

Returns:

the voms attributes

See Also:

validate()

parse

public VOMSValidator parse()

Deprecated. use the parse(X509Certificate[]) instead

Parses the assumed-validated certificate chain (which may also include proxy certs) for any occurances of VOMS extensions containing attribute certificates issued to the end entity in the certificate chain.
No validation of timestamps and/or signatures are performed by this method.
This method returns the object itself, to allow for chaining of commands:
new VOMSValidator(certChain).parse().getVOMSAttributes();

Returns:

the object itself

See Also:

validate()

validate

public VOMSValidator validate()

Parses the assumed-validated certificate chain (which may also include proxy certs) for any occurances of VOMS extensions containing attribute certificates issued to the end entity in the certificate chain. The attribute certificates are validated: any non-valid entries will be ignored.
This method returns the object itself, to allow for chaining of commands:
new VOMSValidator(certChain).parse().getVOMSAttributes();

Returns:

the object itself

See Also:

parse()

getAllFullyQualifiedAttributes

public String[] getAllFullyQualifiedAttributes()

Returns a collection of all the FQANs in all the ACs found in the credential, in order.

Returns:

Vector of FQANs

getVOMSAttributes

public List getVOMSAttributes()

Returns a list of VOMS attributes, parsed and possibly validated.

Returns:

List of VOMSAttribute

See Also:

VOMSAttribute, parse(), validate(), isValidated()

getRoles

public List getRoles(String subGroup)

Returns a list of all roles attributed to a (sub)group, by combining all VOMS attributes in a hiearchial fashion.
Note: One of the methods parse() or validate() must have been called before calling this method. Otherwise, an IllegalStateException is thrown.

Parameters:

subGroup -

Returns:

the List of roles.

See Also:

VOMSValidator.FQANTree

getCapabilities

public List getCapabilities(String subGroup)

Deprecated. Capabilities are deprecated.

Returns a list of all capabilities attributed to a (sub)group, by combining all VOMS attributes in a hiearchial fashion.
Note: One of the methods parse() or validate() must have been called before calling this method. Otherwise, an IllegalStateException is thrown.

Parameters:

subGroup -

Returns:

A list containing all the capabilities

See Also:

VOMSValidator.FQANTree

isValidated

public boolean isValidated()

Returns:

whether the validation process has been ran on VOMS attributes

See Also:

validate()

isValid

public boolean isValid()

toString

public String toString()

Overrides:

toString in class Object