Commit 532399ab authored by Paff's avatar Paff
Browse files

analysis: access for roles

parent b7d6d2f0
/**
* Generated on Wed Oct 08 11:24:22 CEST 2014
* Generated on Wed Oct 08 16:39:38 CEST 2014
*/
config {
Require-Model:
......
......@@ -15,6 +15,7 @@ import org.jgrapht.DirectedGraph;
import org.jgrapht.graph.DefaultDirectedGraph;
import secarc.ets.entries.FilterEntry;
import secarc.ets.entries.RoleEntry;
import secarc.ets.entries.SecComponentEntry;
import secarc.ets.entries.SecPortEntry;
......@@ -129,6 +130,7 @@ public class ArchitectureGraphBuilder {
visitIncomingPorts(componentType, componentVertex);
visitOutgoingPorts(componentType, componentVertex);
visitFilter(componentType, componentVertex);
visitRole(componentType, componentVertex);
/* Recursively visit all subcomponents and add them as well as their ports
* to the graph before proceeding with connectors. */
......@@ -138,6 +140,13 @@ public class ArchitectureGraphBuilder {
}
/**
* Does the actual work for a given component. Calls itself recursively on all
* eventual subcomponents. For Connector
*
* @param component
* @param componentParent
*/
protected void visitComponentForConnector(SubComponentEntry component, ComponentEntry componentParent) {
ComponentEntry componentType = component.getComponentType().getBestKnownVersion();
......@@ -150,6 +159,46 @@ public class ArchitectureGraphBuilder {
visitConnectors(componentType, componentParent);
}
/**
* Adds all roles of the given component type to the graph
*
* @param componentType
* @param componentVertex
*/
protected void visitRole(ComponentEntry componentType, Vertex<SubComponentEntry> componentVertex) {
if(((SecComponentEntry) componentType).getRoles() != null && !((SecComponentEntry) componentType).getRoles().isEmpty()) {
Vertex<RoleEntry> roleVertex = null;
for(RoleEntry role : ((SecComponentEntry) componentType).getRoles()) {
roleVertex = Vertex.lookup(role, this.graph);
if(roleVertex == null) {
roleVertex = Vertex.of(role);
this.graph.addVertex(roleVertex);
}
this.graph.addEdge(componentVertex, roleVertex);
}
}
}
/**
* Adds all roles of the given port to the graph
*
* @param componentType
* @param componentVertex
*/
protected void visitRole(PortEntry port, Vertex<PortEntry> portVertex) {
if(((SecPortEntry) port).getRoles() != null && !((SecPortEntry) port).getRoles().isEmpty()) {
Vertex<RoleEntry> roleVertex = null;
for(RoleEntry role : ((SecPortEntry) port).getRoles()) {
roleVertex = Vertex.lookup(role, this.graph);
if(roleVertex == null) {
roleVertex = Vertex.of(role);
this.graph.addVertex(roleVertex);
}
this.graph.addEdge(portVertex, roleVertex);
}
}
}
/**
* Adds all filters of the given component type to the graph
* @param componentType
......@@ -273,6 +322,7 @@ public class ArchitectureGraphBuilder {
this.graph.addVertex(portVertex);
this.graph.addEdge(portVertex, componentVertex);
visitFilter(port, portVertex);
visitRole(port, portVertex);
}
}
......@@ -287,6 +337,7 @@ public class ArchitectureGraphBuilder {
this.graph.addVertex(portVertex);
this.graph.addEdge(componentVertex, portVertex);
visitFilter(port, portVertex);
visitRole(port, portVertex);
}
}
......
package secarc.ets.graph;
import secarc.ets.entries.RoleEntry;
/**
* TODO: Write me!
*
* @author (last commit) $Author$
* @version $Revision$, $Date$
*
*/
public class RoleVertex extends Vertex<RoleEntry> {
/**
* Constructor for cc.clarc.lang.architecture.graph.RoleVertex
*
* @param architectureElementDescription
*/
protected RoleVertex(RoleEntry architectureElementDescription) {
super(architectureElementDescription);
}
}
......@@ -12,6 +12,7 @@ import mc.umlp.arcd.ets.entries.SubComponentEntry;
import org.jgrapht.DirectedGraph;
import secarc.ets.entries.FilterEntry;
import secarc.ets.entries.RoleEntry;
import com.google.common.base.Objects;
......@@ -87,6 +88,14 @@ public abstract class Vertex<E extends STEntry> {
return new FilterVertex(filter);
}
/**
* Factory method creating a concrete {@link RoleVertex} role of
* {@link Vertex}.
*/
public static final RoleVertex of(RoleEntry role) {
return new RoleVertex(role);
}
/**
* The reference to the represented {@link STEntry}
*/
......
/**
* Generated on Wed Oct 08 11:24:42 CEST 2014
* Generated on Wed Oct 08 16:40:39 CEST 2014
*/
config {
Require-Model:
......
......@@ -95,4 +95,9 @@ public enum MontiSecArcAnalysisErrorCodes implements IErrorCode {
*/
DerivedRolesPort,
/**
* Access for roles
*/
RoleAccess,
}
package secarc.ets.analysis.checker;
import interfaces2.resolvers.AmbigousException;
import secarc._ast.ASTSecArcRole;
import secarc.ets.entries.RoleEntry;
import secarc.ets.graph.ArchitectureGraph;
/**
* Analysis checker interface for checking role
* related analysis
*
* <br>
* <br>
* Copyright (c) 2011 RWTH Aachen. All rights reserved
*
* @author (last commit) $Author$
* @version $Date$<br>
* $Revision$
*
*/
public interface ISecAnalysisRoleChecker {
/**
*
* @param node
* @param entry
* @param graph
* @throws AmbigousException
*/
void check(ASTSecArcRole node, RoleEntry entry, ArchitectureGraph graph) throws AmbigousException;
}
......@@ -19,8 +19,6 @@ import secarc.ets.entries.SecConnectorEntry;
*
* - SSL/TLS Testing
*
* TODO SimpleConnector
*
* <br>
* <br>
* Copyright (c) 2011 RWTH Aachen. All rights reserved
......
......@@ -20,8 +20,6 @@ import secarc.ets.entries.SecConnectorEntry;
*
* - SSL/TLS Testing
*
* TODO SimpleConnector
*
* <br>
* <br>
* Copyright (c) 2011 RWTH Aachen. All rights reserved
......
......@@ -17,6 +17,19 @@ import secarc.ets.entries.SecComponentEntry;
import secarc.ets.entries.SecPortEntry;
import secarc.ets.graph.ArchitectureGraph;
/**
* Lists all roles for a port
* - Testing for privilege escalation
*
* <br>
* <br>
* Copyright (c) 2011 RWTH Aachen. All rights reserved
*
* @author (last commit) $Author$
* @version $Date$<br>
* $Revision$
*
*/
public class DerivedRolesPort extends Analysis implements
ISecAnalysisPortChecker {
......
package secarc.ets.analysis.role;
import java.util.List;
import org.jgrapht.alg.DirectedNeighborIndex;
import interfaces2.STEntry;
import interfaces2.resolvers.AmbigousException;
import mc.IErrorCode;
import secarc._ast.ASTSecArcRole;
import secarc.error.MontiSecArcAnalysisErrorCodes;
import secarc.ets.analysis.checker.Analysis;
import secarc.ets.analysis.checker.ISecAnalysisRoleChecker;
import secarc.ets.check.MontiSecArcAnalysisConstants;
import secarc.ets.entries.RoleEntry;
import secarc.ets.graph.ArchitectureGraph;
import secarc.ets.graph.Edge;
import secarc.ets.graph.Vertex;
/**
* Lists role access
* - Testing for privilege escalation
*
* <br>
* <br>
* Copyright (c) 2011 RWTH Aachen. All rights reserved
*
* @author (last commit) $Author$
* @version $Date$<br>
* $Revision$
*
*/
public class RoleAccess extends Analysis implements ISecAnalysisRoleChecker {
public RoleAccess() {
super(MontiSecArcAnalysisConstants.ROLE_ACCESS);
}
/*
* (non-Javadoc)
* @see secarc.ets.analysis.checker.ISecAnalysisRoleChecker#check(secarc._ast.ASTSecArcRole, secarc.ets.entries.RoleEntry)
*/
@Override
public void check(ASTSecArcRole node, RoleEntry entry, ArchitectureGraph graph)
throws AmbigousException {
DirectedNeighborIndex<Vertex<? extends STEntry>, Edge> directedNeighborIndex = new DirectedNeighborIndex<Vertex<? extends STEntry>, Edge>(graph.getRawGraph());
List<Vertex<? extends STEntry>> allPredescessor = directedNeighborIndex.predecessorListOf(Vertex.of(entry));
StringBuilder sBuilder = new StringBuilder("The role " + entry.getName() + " has access to the following ports and components: ");
if(!allPredescessor.isEmpty()) {
sBuilder.append(allPredescessor.get(0).getArchitectureElement().getName());
allPredescessor.remove(0);
}
for(Vertex<? extends STEntry> vertex : allPredescessor) {
sBuilder.append(", ");
sBuilder.append(vertex.getArchitectureElement().getName());
}
addReport(sBuilder.toString(), node.get_SourcePositionStart());
}
/*
* (non-Javadoc)
* @see interfaces2.coco.ContextCondition#getErrorCode()
*/
@Override
public IErrorCode getErrorCode() {
return MontiSecArcAnalysisErrorCodes.RoleAccess;
}
}
......@@ -60,6 +60,8 @@ public final class MontiSecArcAnalysisConstants {
public static final String DERIVE_ROLES_PORT = "Derives all roles for ports.";
public static final String ROLE_ACCESS = "Lists access for roles";
public static final String ALL_IDENTITY = "Checks all analysis related to identity links.";
public static final String IDENTITY_WITH_ENCRYPTION = "Checks if the communication between two components is encrypted when an identity link is used.";
......
......@@ -22,6 +22,7 @@ import secarc.ets.analysis.port.ListSystemOutgoingPorts;
import secarc.ets.analysis.role.DerivedRolesComponent;
import secarc.ets.analysis.role.DerivedRolesPort;
import secarc.ets.analysis.role.DerivedRolesThirdParty;
import secarc.ets.analysis.role.RoleAccess;
import mc.ProblemReport;
......@@ -158,6 +159,9 @@ public final class MontiSecArcAnalysisCreator {
//Derives roles for ports
roleAnalysis.addChild(new DerivedRolesPort());
//Access for roles
roleAnalysis.addChild(new RoleAccess());
//Analysis for identity
CompositeContextCondition identityAnalysis = new CompositeContextCondition(MontiSecArcAnalysisConstants.ALL_IDENTITY);
......
......@@ -23,15 +23,18 @@ import mc.umlp.arcd.ets.entries.PortEntry;
import secarc._ast.ASTSecArcConfiguration;
import secarc._ast.ASTSecArcFilter;
import secarc._ast.ASTSecArcIdentity;
import secarc._ast.ASTSecArcRole;
import secarc.ets.analysis.checker.ISecAnalysisComponentChecker;
import secarc.ets.analysis.checker.ISecAnalysisConfigurationChecker;
import secarc.ets.analysis.checker.ISecAnalysisConnectorChecker;
import secarc.ets.analysis.checker.ISecAnalysisFilterChecker;
import secarc.ets.analysis.checker.ISecAnalysisIdentityChecker;
import secarc.ets.analysis.checker.ISecAnalysisPortChecker;
import secarc.ets.analysis.checker.ISecAnalysisRoleChecker;
import secarc.ets.entries.ConfigurationEntry;
import secarc.ets.entries.FilterEntry;
import secarc.ets.entries.IdentityEntry;
import secarc.ets.entries.RoleEntry;
import secarc.ets.entries.SecComponentEntry;
import secarc.ets.entries.SecConnectorEntry;
import secarc.ets.entries.SecPortEntry;
......@@ -87,6 +90,11 @@ public class MontiSecArcAnalysisVisitor extends CheckWorkflowClient {
*/
private Set<ISecAnalysisIdentityChecker> analysisIdentityChecker;
/**
* Analysis for roles
*/
private Set<ISecAnalysisRoleChecker> analysisRoleChecker;
public MontiSecArcAnalysisVisitor() {
analysisFilterChecker = new HashSet<ISecAnalysisFilterChecker>();
......@@ -95,6 +103,7 @@ public class MontiSecArcAnalysisVisitor extends CheckWorkflowClient {
analysisConnectorChecker = new HashSet<ISecAnalysisConnectorChecker>();
analysisComponentChecker = new HashSet<ISecAnalysisComponentChecker>();
analysisIdentityChecker = new HashSet<ISecAnalysisIdentityChecker>();
analysisRoleChecker = new HashSet<ISecAnalysisRoleChecker>();
}
/**
......@@ -131,6 +140,9 @@ public class MontiSecArcAnalysisVisitor extends CheckWorkflowClient {
if(coco instanceof ISecAnalysisIdentityChecker) {
analysisIdentityChecker.add((ISecAnalysisIdentityChecker) coco);
}
if(coco instanceof ISecAnalysisRoleChecker) {
analysisRoleChecker.add((ISecAnalysisRoleChecker) coco);
}
}
}
......@@ -269,7 +281,26 @@ public class MontiSecArcAnalysisVisitor extends CheckWorkflowClient {
getNameSpaceFor(node));
if (entry != null) {
for (ISecAnalysisIdentityChecker cc : analysisIdentityChecker) {
cc.check(node, entry, graph);
cc.check(node, entry, graph);
}
}
} catch (AmbigousException e) {
// not handled here
MCG.getLogger().info(e.getMessage());
}
}
}
/**
* Visits roles
*/
public void visit(ASTSecArcRole node) {
for (String name : node.getRoles()) {
try {
RoleEntry entry = (RoleEntry) resolver.resolve(name, RoleEntry.KIND, getNameSpaceFor(node));
if (entry != null) {
for (ISecAnalysisRoleChecker cc : analysisRoleChecker) {
cc.check(node, entry, graph);
}
}
} catch (AmbigousException e) {
......
......@@ -118,8 +118,9 @@ public class MontiSecArcAnalysisTest extends TestWithSymtabAnalysis<MontiSecArcA
errorCodes.add(MontiSecArcAnalysisErrorCodes.TaintPropergation);
errorCodes.add(MontiSecArcAnalysisErrorCodes.IdentityWithEncryption);
errorCodes.add(MontiSecArcAnalysisErrorCodes.DerivedRolesPort);
errorCodes.add(MontiSecArcAnalysisErrorCodes.RoleAccess);
assertEquals(8, handler.getWarnings().size());
assertEquals(9, handler.getWarnings().size());
for(ProblemReport error : handler.getErrors()) {
assertTrue(errorCodes.contains(error.getErrorcode()));
}
......@@ -159,9 +160,9 @@ public class MontiSecArcAnalysisTest extends TestWithSymtabAnalysis<MontiSecArcA
errorCodes.add(MontiSecArcAnalysisErrorCodes.IdentityWithEncryption);
errorCodes.add(MontiSecArcAnalysisErrorCodes.DerivedRolesComponent);
errorCodes.add(MontiSecArcAnalysisErrorCodes.DerivedRolesPort);
errorCodes.add(MontiSecArcAnalysisErrorCodes.TaintPropergation);
errorCodes.add(MontiSecArcAnalysisErrorCodes.RoleAccess);
assertEquals(10, handler.getWarnings().size());
assertEquals(12, handler.getWarnings().size());
for(ProblemReport error : handler.getErrors()) {
assertTrue(errorCodes.contains(error.getErrorcode()));
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment