CHANGELOG.md 17.6 KB
Newer Older
cdanger's avatar
cdanger committed
1 2 3
# Change log
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions. This project adheres to [Semantic Versioning](http://semver.org).

cdanger's avatar
cdanger committed
4

cdanger's avatar
cdanger committed
5 6 7 8 9 10 11 12 13 14 15 16 17
## 15.1.0
### Changed
- Parent project (authzforce-ce-parent) version: 7.3.0, which changes dependency versions:
  - authzforce-ce-xmlns-model: 7.3.0
  - authzforce-ce-xacml-model: 7.3.0
  - authzforce-ce-pdp-ext-model: 7.3.0
  - Spring: 4.3.14.RELEASE
  - Saxon-HE: 9.8.0-12
  
### Added
- Interfaces: PolicyEvaluator has new method getEnclosedPolicies(), used to detect duplicate PolicyId/Version


Cyril Dangerville's avatar
Cyril Dangerville committed
18
## 15.0.0
cdanger's avatar
cdanger committed
19 20
### Added
- Classes from authzforce-ce-core-pdp-engine, which may be useful to PEP implementations (PEPs should not depend on authzforce-ce-core-pdp-engine except if using an embedded PDP): 
Cyril Dangerville's avatar
Cyril Dangerville committed
21 22 23 24 25 26 27
  - `StandardAttributeValueFactories` (for mapping standard Java types or XACML datatypes into AuthzForce data model)
  - `ImmutableAttributeValueFactoryRegistry` (required by the previous one)
  - `BasePdpExtensionRegistry` (required by the previous one).
- `AttributeValueFactoryRegistry#getCompatibleFactory(Class)` method: used in unit tests.
- `AttributeValueFactoryRegistry#newAttributeBag(Collection, AttributeSource)`: creates an AttributeBag with a custom AttributeSource
- `PrimitiveDatatype#getInstanceClass()` method: gives the Java class associated to the (XACML) datatype, in AuthzForce data model.
- `XacmlJaxbParsingUtils#parseXacmlJaxbResult(Result)` method: to convert XACML/XML Result into AuthzForce data model's DecisionResult
cdanger's avatar
cdanger committed
28 29
	
### Changed
Cyril Dangerville's avatar
Cyril Dangerville committed
30 31 32
- For more flexibility, genericity and code simplification (better adaptation to non-XML formats such as JSON in particular), AuthzForce data model classes (e.g. `AttributeValue`) no longer extend XACML-schema-derived (JAXB-annotated) classes (e.g. `AttributeValueType`). 
- `DecisionCache.Factory#getInstance(...)`: new AttributeValueFactoryRegistry parameter for the decision cache system to be able to create/restore AttributeValues from deserialized data stored or produced by external - possibly remote - systems (e.g. cache storage database).
- `CloseableDesignatedAttributeProvider` (resp. `BaseDesignatedAttributeProvider`) class renamed to `CloseableNamedAttributeProvider` (resp. `BaseNamedAttributeProvider`) to reuse the official term "named attribute" from §7.3 of XACML 3.0 spec.
cdanger's avatar
cdanger committed
33 34

### Fixed
Cyril Dangerville's avatar
Cyril Dangerville committed
35 36
- IllegalArgumentException for empty XACML anyURI, i.e. `<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI" />`. XACML 3.0 spec's anyURI datatype (annex B.3) is defined by W3C XML schema specification (2004)'s anyURI datatype, itself defined by RFC 2396 and 2732 at IETF. An empty URI is valid according to RFC 2396 (section 4.2), therefore an empty AttributeValue with anyURI datatype must be parsed successfully into an empty value. (Fix to `SimpleValue` class.)  
- AuthzForce `IntegerValue`s wrongly considered not equal if created from different Java integer types (for the same value), e.g. `1` (Integer) and `1L` (Long). (Fix to equals() implementations in `GenericInteger` subclasses.)
cdanger's avatar
cdanger committed
37 38


cdanger's avatar
cdanger committed
39 40 41 42 43 44 45 46
## 14.0.0
### Changed
- Interface method DecisionCache.Factory#getInstance(...): added EnvironmentProperties parameter to allow passing environment properties to DecisionCache implementations
- Interface method AttributeProvider#get(...): replaced parameter type BagDatatype with Datatype to simplify AttributeProviders' code
- Interface method EvaluationContext#getNamedAttributeValue(...): replaced parameter type BagDatatype with Datatype to simplify AttributeProviders' code
- Class VersionPatterns renamed to PolicyVersionPatterns because depends on PolicyVersionPattern (with no 's') class


47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
## 13.0.0
### Changed
- Updated authzforce-ce-parent version: 7.1.0 -> 7.2.0:
  - Changes dependency version: slf4j: 1.7.22 --> 1.7.25
  - Changes build plugin versions:
    - OWASP dependency-check plugin: 3.0.1 -> 3.0.2 (fix blocking bug #978 on their github) 
- Copyright end year (2018) in license headers
- API interface/abstract class:
  - `SimpleValue.BaseFactory` abstract class: new `getSupportedInputTypes()`
for simple attribute value factories to specify the input Java types
they support, i.e. that they can parse to AttributeValue, in order to help implement new
`AttributeValueFactoryRegistry#newAttributeValue/AttributeBag(...)` methods
  - `AttributeValueFactoryRegistry` interface: new `newAttributeValue(Serializable)` and
`newAttributeBag(Collection<? extends Serializable>)` methods for creating `AttributeValue`/`AttributeBag` from raw Java
types without specifying a XACML datatype argument explicitly, but based on the input types supported by the simple AttributeValueFactories (of subtype `SimpleValue.BaseFactory`) in the registry, which info is provided by the `getSupportedInputTypes()` mentioned previously. This change contributes to the implementation of [authzforce-ce-core issue #10 on github](https://github.com/authzforce/core/issues/10).
- `X500NameValue` class: added constructor from X500Principal


cdanger's avatar
cdanger committed
65 66 67 68 69 70
## 12.1.0
### Changed
- Parent project: 7.0.0 -> 7.1.0
	- Managed dependency version: guava: 21.0 -> 22.0


cdanger's avatar
cdanger committed
71
## 12.0.0
72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
### Changed
- Parent project: 6.0.0 -> 7.0.0
- Renamed PDP extension interfaces and base implementations:
	* (Base|Closeable)AttributeProviderModule >
(Base|Closeable)DesignatedAttributeProvider
	* (Base)RequestFilter -> (Base)DecisionRequestPreprocessor
	* DecisionResultFilter -> DecisionResultPostprocessor
	* CloseablePdp -> CloseablePdpEngine
	* (Immutable)PdpDecisionRequest -> (Immutable)DecisionRequest
	* PdpDecisionResult -> DecisionResult
	* PdpDecisionRequest(Factory|Builder) -> DecisionRequest(Factory|Builder)
	* (Base|Closeable)(Static)RefPolicyProviderModule -> (Base|Closeable)(Static)RefPolicyProvider
	* RootPolicyProviderModule -> RootPolicyProvider
	* (Base)DatatypeFactory(Registry) -> (Base)AttributeValueFactory(Registry) (using new class AttributeDatatype subclass of Datatype)
- Uses of IdReferenceType (for Policy(Set)IdReference) replaced by new interface PrimaryPolicyMetadata (identifies Policy uniquely) in all APIs where necessary
- Moved JaxbXacmlUtils utility class out to authzforce-ce-xacml-model project (renamed to Xacml3JaxbHelper)
- New extensible framework for PDP engine adapters, e.g. for specific types of input/output (SerDes), PDP engine itself made agnostic of request/response serialization formats 
	* New package org.ow2.authzforce.core.pdp.api.io for classes related to input/output (SerDes) adapter, e.g. from/to XACML-XML
	* New interface PdpEngineInoutAdapter (default implementation is XACML/XML using JAXB API, XACML/JSON one moved to separate project)
- More optimal implementation of XACML integer values: 3 possible
GenericInteger interface implementations depending on maximum (size)
(ArbitrarilyBigInteger for java BigIntegers, MediumInteger for java Integers, and LongInteger for java Longs), with value caching (like Java
Integer/Long). This optimizes memory usage / CPU computation when dealing with XACML integers small enough to fit in Java Integers/Longs.
- Class naming conventions regarding acronyms (only first letter should be uppercase, see also
https://google.github.io/styleguide/javaguide.html#s5.3-camel-case), for example:
	* AnyURIValue -> AnyUriValue
	* AttributeFQN -> AttributeFqn
	* AttributeFQNs -> AttributeFqns
	* CloseablePDP -> CloseablePdp
	* JaxbXACMLUtils -> JaxbXacmlUtils
	* PDPEngine -> PdpEngine
	* XMLUtils -> XmlUtils...


106
## 11.0.0 
cdanger's avatar
cdanger committed
107 108 109 110 111 112 113 114
### Changed 
- StaticRefPolicyProviderModule interface to abstract class
- Renamed RefPolicyProvider.Utils class (utility methods for Policy Provider implementations) to RefPolicyProvider.Helper

### Added 
- BaseStaticRefPolicyProviderModule class as convenient base class for static Policy Provider (StaticRefPolicyProviderModule ) implementations


115
## 10.0.0
cdanger's avatar
cdanger committed
116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138
### Added
- Class AttributeSource and AttributeSources: source of attribute values, e.g. the Request, the PDP, an AttributeProvider module, etc.
- Class AttributeBag: new kind of Bag that represents an attribute bag (values) with metadata such as value source (AttributeSource) 
- Interface EvaluationContext: new methods to attach one or more context listeners, and get back the attached listener(s)
- New Expression interface implementations: AttributeDesignatorExpression (XACML AttributeDesignator evaluator) and AttributeSelectorExpression (XACML Attribute Selector evaluator)

### Changed
- Changed POM parent version: 6.0.0.
- Changed DecisionResultFilter interface methods
- Changed RequestFilter interface methods
- Changed DecisionCache interface methods by adding EvaluationContext parameter for context-dependent caches
- Changed RefPolicyProvider interface methods
- Changed PDPEngine interface methods
- Changed EvaluationContext interface methods
- Changed Expression interface methods
- Changed VersionPatterns class methods to return new PolicyVersionPattern class that helps manipulate XACML VersionMatchTypes
- Refactoring:
  - Renamed class IndividualDecisionRequest to IndividualXACMLRequest (XACML-specific model of Individual Decision Request)
  - Renamed class IndividualPdpDecisionRequest to PdpDecisionRequest (individual request in XACML-agnostic AuthzForce model)
  - Renamed class AttributeGUID(s) to AttributeFQN(s) (Fully Qualified Name is more appropriate than GUID)
  - Renamed class MutableBag to MutableAttributeBag


cdanger's avatar
cdanger committed
139 140 141 142 143 144 145 146 147 148
## 9.1.0
### Changed
- Changed parent version: v5.1.0:
	- License: GPL v3.0 replaced with Apache License v2.0
	- Project URL: 'https://tuleap.ow2.org/projects/authzforce' replaced with 'https://authzforce.ow2.org'
	- GIT repository URL base: 'https://tuleap.ow2.org/plugins/git/authzforce' replaced with 'https://gitlab.ow2.org/authzforce'
- Return type of `Datatype#getTypeParameter()`: `Datatype<?>` replaced with `Optional<Datatype<?>>`
- Return type of `AttributeGUID#getIssuer()`: `String<?>` replaced with `Optional<String<?>>`


cdanger's avatar
cdanger committed
149
## 9.0.0
150 151 152
### Changed
- Changed parent version: 4.1.1 -> 5.0.0
	-> Changed dependency versions: SLF4J: 1.7.6 -> 1.7.22; Guava: 20.0 -> 21.0
cdanger's avatar
cdanger committed
153
- Renamed class Pdp to PDPEngine and added methods to evaluate one or multiple Individual Decision Requests using more efficient API than XACML-schema-derived Request
154 155 156 157
- Renamed class PdpDecisionInput to PdpDecisionRequest -> changed DecisionCache API
- Changed DecisionResultFilter API


cdanger's avatar
cdanger committed
158 159 160 161 162 163 164 165
## 8.2.0
### Changed
- Parent project version: 4.1.1 (upgrades owasp dep check mvn plugin
version: 1.4.4 -> 1.4.4.1)
- LOG CRLF INJECTION issue (reported by find-sec-bugs) no longer fixed in code but assumed handled
by logback configuration (see Layout pattern 'replace' keyword in logback documentation)


cdanger's avatar
cdanger committed
166
## 8.1.0
167 168 169
### Changed
- Parent project version: 4.0.0 -> 4.1.0 => Saxon-HE dependency version 9.7.0-11 -> 9.7.0-14

170
### Fixed
cdanger's avatar
cdanger committed
171
- Security issues reported by find-sec-bugs plugin
172

173

cdanger's avatar
cdanger committed
174
## 8.0.0
cdanger's avatar
cdanger committed
175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201
### Added
- Extension mechanism to switch HashMap/HashSet implementation; default implementation is based on native JRE and Guava.
- AtomicValue interface for atomic/primitive values, implemented by Function and AttributeValue
- Public class PrimitiveDatatype for primitive value datatypes
- ConstantExpression interface (replaces ValueExpression) for all constant Value expression
- FunctionExpression interface, Expression wrapper for Functions (Function no longer extends Expression but AtomicValue) like Value
- Function datatype constant in StandardDatatypes class, used as formal parameter type for functions in higher-order functions
- Maven plugin owasp-dependency-check to check vulnerabilities in dependencies 

### Changed
- Function no longer extends Expression but AtomicValue since Function Expression is now materialized by new FunctionExpression interface
- Expression interface: method boolean isStatic() replaced by getValue() to get the constant result if expression is static/constant (instead of calling evaluate(null) which forces callers the complexity of handling IndeterminateEvaluationException), null if not
- ExpressionFactory interface: Function return types replaced with FunctionExpression (new interface)
- FirstOrderFunctionCall abstract class (base class for first-order function call implementations): changed to interface and abstract class logic moved to new BaseFirstOrderFunctionCall class,
- DatatypeFactory interface: removed method isExpressionStatic(), now useless since we have new Expression#getValue() method 
- CombiningAlg (combining algorithm interface) Evaluator interface: more generic
- Maven parent project version: 3.4.0 -> 4.0.0:
	- **Java version: 1.7 -> 1.8** (maven.compiler.source/target property)
	- Guava dependency version: 18.0 -> 20.0
	- Saxon-HE dependency version: 9.6.0-5 -> 9.7.0-11
	- com.sun.mail:javax.mail v1.5.4 changed to com.sun.mail:mailapi v1.5.6

### Removed
- ValueExpression interface, replaced by ConstantExpression
- Dependency on Koloboke, replaced by extension mechanism mentioned in *Added* section that would allow to switch from the default HashMap/HashSet implementation to Koloboke-based.


cdanger's avatar
cdanger committed
202 203 204 205 206
## 7.1.1
### Fixed
- Javadoc issues


207
## 7.1.0
cdanger's avatar
cdanger committed
208 209 210 211
### Fixed
- Bag.equals() ignoring duplicates (like XACML set-equals function). Fixed by using Guava Multiset as backend structure and Multiset.equals(), to comply with the mathematical definition of a bag/multiset and XACML definition which is basically the same.
- BaseStaticRootPolicyProviderModule keeping a reference to static refPolicyProvider, although policies are to be resolved statically at initialization time, after that, it is no longer needed. Fix: remove BaseStaticRootPolicyProviderModule to force RootPoliyPovider modules to manage their refPolicyProvider and free memory after use.

cdanger's avatar
cdanger committed
212 213 214
### Added 
- Bag.elements() method, returns a Multiset (Guava) view of a bag's elements, useful in particular to implement functions with bags like XACML set-*

cdanger's avatar
cdanger committed
215 216
### Removed
- BaseStaticRootPolicyProviderModule class removed (see fix above)
cdanger's avatar
cdanger committed
217

218

cdanger's avatar
cdanger committed
219
## 7.0.0
220 221 222 223 224 225 226 227 228
### Added
- Dependency: com.koloboke:koloboke-impl-jdk6-7:1.0.0 for better (performance and API) HashMap/HashSet. More info:
http://java-performance.info/hashmap-overview-jdk-fastutil-goldman-sachs-hppc-koloboke-trove-january-2015/

### Changed
- CombiningAlg.Evaluator (Combining Algorithm evaluator interface): 
  - Return type changed to ExtendedDecision (Decision, Status, Extended Indeterminate if Decision is Indeterminate), simpler than formerly DecisionResult
  - evaluate() takes 2 extra "out" parameters: UpdatablePepActions and UpdatableApplicablePolicies used to add/return PEP actions and applicable policies collected during evaluation
- DecisionCache interface: input PdpDecisionInput and output PdpDecisionResult allow to handle 2 new fields: named attributes and extra Content nodes used during evaluation; thus enabling smarter caching possibilities
cdanger's avatar
cdanger committed
229
- EvaluationContext interface: addApplicablePolicy(...) replaced by isApplicablePolicyIdListRequested() because applicable policies are now collected in the new "out" parameter above and in the evaluation results (DecisionResult) returned by Policy evaluators
230 231
- Deprecated Expression#getJAXBElement() usually used to get the original XACML from which the Expression was parsed (no longer considered useful)
- Bag#equals() re-implemented like XACML function set-equals
cdanger's avatar
cdanger committed
232
- Change implementation of unmodifidable lists to Guava ImmutableList
233 234 235
- Made all implementations of DecisionResult immutable


cdanger's avatar
cdanger committed
236
## 6.0.0
cdanger's avatar
cdanger committed
237 238 239
### Changed 
- Project parent version (3.4.0): all JAXB-annotated classes derived from XACML schema now implements java.io.Serializable interface. This affects subclasses StatusHelper, CombinerParameterEvaluator and concrete XXXValue classes (extending XACML AttributeValue)
- All method parameters made final when applicable
240
- IndividualDecisionRequest#isApplicablePolicyIdentifiersReturned() method renamed to isApplicablePolicyIdListReturned()
cdanger's avatar
cdanger committed
241 242

### Removed
243
- CombiningAlgSet and FunctionSet classes (GitHub issue #1), now useless.
cdanger's avatar
cdanger committed
244

245 246 247 248 249

## 5.0.0
### Changed
- Attribute Provider Extension interface (CloseableAttributeProviderModule interface): new parameter to pass global PDP environment properties to AttributeProvider extensions

cdanger's avatar
cdanger committed
250
## 4.0.2
251 252 253
### Fixed
- Code-style issues reported by Codacy

cdanger's avatar
cdanger committed
254
## 4.0.1
cdanger's avatar
cdanger committed
255 256 257
### Fixed
- Issues reported by Codacy

cdanger's avatar
cdanger committed
258

cdanger's avatar
cdanger committed
259
## 4.0.0
cdanger's avatar
cdanger committed
260 261 262
### Changed
- FirstOrderBagFunctions#getFunctions(): changed parameters to only one of type DatatypeFactory<AV> for simplification

cdanger's avatar
cdanger committed
263 264 265
### Fixed
- Current year in license header

cdanger's avatar
cdanger committed
266 267

## 3.8.0
268 269 270 271 272 273 274 275
### Added
- Implementations of XACML 3.0 Core standard data types
- Re-usable/abstract classes for XACML comparison/conversion/higher-order/set/bag functions

### Fixed
- Javadoc of DecisionResult#getExtendedIndeterminate() method


cdanger's avatar
cdanger committed
276
## 3.7.0
cdanger's avatar
cdanger committed
277 278 279 280 281
### Changed
- PDP extensions that are static root policy providers should now implement StaticRootPolicyProviderModule class, instead of RootPolicyProviderModule.Static class
- PDP extensions that are static ref-policy providers should now implement StaticRefPolicyProvider class, instead of RefPolicyProvider class with isStatic() method returning true
- (Static)RootPolicyProviderModule and (Static)RefPolicyProviderModule#get(...) return type is now (Static)TopLevelPolicyElementEvaluator instead of IPolicyEvaluator interface (removed)

cdanger's avatar
cdanger committed
282
### Added
cdanger's avatar
cdanger committed
283 284
- Interface method PolicyEvaluator#getExtraPolicyMetadata(): provides version of the evaluated Policy(Set) and policies referenced (directly/indirectly) from this Policy(Set)
- Interface method PolicyEvaluator#getPolicyElementType(): provides the type of top-level policy element (Policy or PolicySet).
285
- Interface method DecisionResult#getExtendedIndeterminate(): provides Extended Indeterminate value (to be used when #getDecision() returns "Indeterminate")
cdanger's avatar
cdanger committed
286

cdanger's avatar
cdanger committed
287

cdanger's avatar
cdanger committed
288 289 290
## 3.6.1
### Added
- Initial release on Github
cdanger's avatar
cdanger committed
291 292 293