Merge branch 'release/15.1.0'

CHANGELOG.md

@@ -2,6 +2,19 @@
 All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions. This project adheres to [Semantic Versioning](http://semver.org).
 
 
+## 15.1.0
+### Changed
+- Parent project (authzforce-ce-parent) version: 7.3.0, which changes dependency versions:
+  - authzforce-ce-xmlns-model: 7.3.0
+  - authzforce-ce-xacml-model: 7.3.0
+  - authzforce-ce-pdp-ext-model: 7.3.0
+  - Spring: 4.3.14.RELEASE
+  - Saxon-HE: 9.8.0-12
+  
+### Added
+- Interfaces: PolicyEvaluator has new method getEnclosedPolicies(), used to detect duplicate PolicyId/Version
+
+
 ## 15.0.0
 ### Added
 - Classes from authzforce-ce-core-pdp-engine, which may be useful to PEP implementations (PEPs should not depend on authzforce-ce-core-pdp-engine except if using an embedded PDP): 

README.md

 [![Codacy Badge](https://api.codacy.com/project/badge/Grade/2804cd619dde437a883da48ad5c283bc)](https://www.codacy.com/app/coder103/authzforce-ce-core-pdp-api?utm_source=github.com&utm_medium=referral&utm_content=authzforce/core-pdp-api&utm_campaign=Badge_Grade)
 [![Javadocs](http://javadoc.io/badge/org.ow2.authzforce/authzforce-ce-core-pdp-api.svg)](http://javadoc.io/doc/org.ow2.authzforce/authzforce-ce-core-pdp-api)
 
-# AuthZForce Core PDP API
-High-level API for using AuthZForce PDP engine and implementing PDP engine extensions: attribute datatypes, functions, policy/rule combining algorithms, attribute providers, policy providers, XACML Request/Result filters, etc.
+# AuthzForce Core PDP API
+High-level API for using AuthzForce PDP engine and implementing PDP engine extensions: attribute datatypes, functions, policy/rule combining algorithms, attribute providers, policy providers, XACML Request/Result filters, etc.
 
 ## Support
 
-If you are experiencing any problem with this project, you may report it on the [OW2 Issue Tracker](https://jira.ow2.org/browse/AUTHZFORCE/).
+If you are experiencing any problem with this project, you may report it on the github Issues.
 Please include as much information as possible; the more we know, the better the chance of a quicker resolution:
 
 * Software version
@@ -15,5 +15,5 @@ Please include as much information as possible; the more we know, the better the
 * Log output can be useful too; sometimes enabling DEBUG logging can help;
 * Your code & configuration files are often useful.
 
-If you wish to contact the developers for other reasons, use [Authzforce contact mailing list](http://scr.im/azteam).
+If you wish to contact the developers for other reasons, use [AuthzForce contact mailing list](http://scr.im/azteam).
 

pom.xml

@@ -3,10 +3,10 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-parent</artifactId>
-      <version>7.2.0</version>
+      <version>7.3.0</version>
    </parent>
    <artifactId>authzforce-ce-core-pdp-api</artifactId>
-   <version>15.0.0</version>
+   <version>15.1.0</version>
    <name>${project.groupId}:${project.artifactId}</name>
    <description>AuthzForce - Core PDP API</description>
    <url>${project.url}</url>

src/main/java/org/ow2/authzforce/core/pdp/api/func/RegexpMatchFunctionHelper.java

@@ -22,12 +22,9 @@ import java.util.Optional;
 import java.util.regex.Pattern;
 import java.util.regex.PatternSyntaxException;
 
-import net.sf.saxon.Version;
-import net.sf.saxon.regex.RegularExpression;
-import net.sf.saxon.trans.XPathException;
-
 import org.ow2.authzforce.core.pdp.api.EvaluationContext;
 import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
+import org.ow2.authzforce.core.pdp.api.XmlUtils;
 import org.ow2.authzforce.core.pdp.api.expression.Expression;
 import org.ow2.authzforce.core.pdp.api.expression.Expressions;
 import org.ow2.authzforce.core.pdp.api.value.AttributeValue;
@@ -39,6 +36,10 @@ import org.ow2.authzforce.core.pdp.api.value.StringValue;
 import org.ow2.authzforce.core.pdp.api.value.Value;
 import org.ow2.authzforce.xacml.identifiers.XacmlStatusCode;
 
+import net.sf.saxon.Version;
+import net.sf.saxon.regex.RegularExpression;
+import net.sf.saxon.trans.XPathException;
+
 /**
  * *-regexp-match function helper
  * <p>
@@ -48,10 +49,8 @@ import org.ow2.authzforce.xacml.identifiers.XacmlStatusCode;
  * <li>{@link Pattern} matches the entire string against the pattern always, whereas <code>xf:matches</code> considers the string to match the pattern if any substring matches the pattern.</li>
  * <li><code>xf:matches</code> regular expression syntax is based on XML schema which defines character class substraction using '-' character, whereas {@link Pattern} does not support this syntax but
  * <code>&&[^</code> instead.</li>
- * <li>
- * Category escape: can be done in XML SCHEMA with: <code>[\P{X}]</code>. {@link Pattern} only supports this form: <code>[^\p{X}]</code>.</li>
- * <li>
- * Character classes: XML schema define categories <code>\c</code> and <code>\C</code>. {@link Pattern} does not support them.</li>
+ * <li>Category escape: can be done in XML SCHEMA with: <code>[\P{X}]</code>. {@link Pattern} only supports this form: <code>[^\p{X}]</code>.</li>
+ * <li>Character classes: XML schema define categories <code>\c</code> and <code>\C</code>. {@link Pattern} does not support them.</li>
  * </ul>
  * EXAMPLE: this regex from XML schema spec uses character class substraction. It is valid for <code>xf:matches</code> but does not compile with {@link Pattern}:
  * 
@@ -71,7 +70,7 @@ public final class RegexpMatchFunctionHelper
 		private final String funcId;
 
 		private CompiledRegexMatchFunctionCall(final FirstOrderFunctionSignature<BooleanValue> functionSig, final List<Expression<?>> argExpressions, final Datatype<?>[] remainingArgTypes,
-				final RegularExpression compiledRegex, final Datatype<? extends SimpleValue<String>> matchedValueType, final String invalidRemainingArg1TypeMsg) throws IllegalArgumentException
+		        final RegularExpression compiledRegex, final Datatype<? extends SimpleValue<String>> matchedValueType, final String invalidRemainingArg1TypeMsg) throws IllegalArgumentException
 		{
 			super(functionSig, argExpressions, remainingArgTypes);
 			this.funcId = functionSig.getName();
@@ -136,7 +135,7 @@ public final class RegexpMatchFunctionHelper
 		final RegularExpression compiledRegex;
 		try
 		{
-			compiledRegex = Version.platform.compileRegularExpression(regex.getUnderlyingValue(), "", "XP20", null);
+			compiledRegex = Version.platform.compileRegularExpression(XmlUtils.SAXON_PROCESSOR.getUnderlyingConfiguration(), regex.getUnderlyingValue(), "", "XP20", null);
 		}
 		catch (final XPathException e)
 		{
@@ -206,7 +205,7 @@ public final class RegexpMatchFunctionHelper
 					/*
 					 * From Saxon xf:matches() implementation: Matches#evaluateItem() / evalMatches()
 					 */
-					compiledRegex = Version.platform.compileRegularExpression(regex, "", "XP20", null);
+					compiledRegex = Version.platform.compileRegularExpression(XmlUtils.SAXON_PROCESSOR.getUnderlyingConfiguration(), regex, "", "XP20", null);
 				}
 				catch (final XPathException e)
 				{

src/main/java/org/ow2/authzforce/core/pdp/api/policy/PolicyEvaluator.java

@@ -21,6 +21,7 @@
 package org.ow2.authzforce.core.pdp.api.policy;
 
 import java.util.Optional;
+import java.util.Set;
 
 import org.ow2.authzforce.core.pdp.api.Decidable;
 import org.ow2.authzforce.core.pdp.api.DecisionResult;
@@ -89,6 +90,15 @@ public interface PolicyEvaluator extends Decidable
 	 */
 	PolicyVersion getPolicyVersion(EvaluationContext evaluationCtx) throws IndeterminateEvaluationException;
 
+	/**
+	 * Get metadata about the policies enclosed in the evaluated policy (including itself), i.e. whose actual content is enclosed inside the evaluated policy (as opposed to policy references).
+	 * <p>
+	 * This allows to detect duplicates, i.e. when the same policy (ID and version) is re-used multiple times in the same enclosing policy.
+	 * 
+	 * @return the set of enclosed policies, including itself. (May be empty if the policy corresponds to a XACML Policy (no child Policy(Set)s, but never null );
+	 */
+	Set<PrimaryPolicyMetadata> getEnclosedPolicies();
+
 	/**
 	 * Get metadata about the child policy references of the evaluated policy, present iff there is any (e.g. no the case for a XACML Policy element). These metadata may depend on the evaluation
 	 * context in case of a Policy(Set)IdReference evaluator when using dynamic aka context-dependent {@link RefPolicyProvider} that resolve policy references at evaluation time based on the context,

src/main/java/org/ow2/authzforce/core/pdp/api/policy/PrimaryPolicyMetadata.java

@@ -67,4 +67,5 @@ public interface PrimaryPolicyMetadata
 	 * @return description
 	 */
 	Optional<String> getDescription();
+
 }

src/main/java/org/ow2/authzforce/core/pdp/api/policy/StaticTopLevelPolicyElementEvaluator.java

@@ -28,4 +28,5 @@ package org.ow2.authzforce.core.pdp.api.policy;
 public interface StaticTopLevelPolicyElementEvaluator extends StaticPolicyEvaluator, TopLevelPolicyElementEvaluator
 {
 	// Merge of StaticPolicyEvaluator and TopLevelPolicyElementEvaluator
+
 }

src/main/java/org/ow2/authzforce/core/pdp/api/value/DnsNameWithPortRangeValue.java

@@ -46,7 +46,7 @@ public final class DnsNameWithPortRangeValue extends StringParseableValue<String
 	static
 	{
 		/*
-		 * Limit repetitions in regex to mitiate Regex DoS attacks
+		 * Limit repetitions in regex to mitigate Regex DoS attacks
 		 */
 		final String domainlabel = "\\w[[\\w|\\-]{0,1000}\\w]?";
 		final String toplabel = "[a-zA-Z][[\\w|\\-]{0,1000}\\w]?";
@@ -101,7 +101,8 @@ public final class DnsNameWithPortRangeValue extends StringParseableValue<String
 			// there is no port/portRange, so just use the name
 			host = dnsName;
 			range = NetworkPortRange.MAX;
-		} else
+		}
+		else
 		{
 			// split the name and the port/portRange
 			host = dnsName.substring(0, portSep);

src/test/resources/saxon.xml.sample

 <?xml version="1.0"?>
+<!-- Many of the options included here are defaults, and do not need to be specified in a real configuration file. They are provided for convenience of editing, so 
+   it is easy to set up a configuration file with non-default options. For documentation on the contents of a Saxon configuration file, see http://www.saxonica.com/documentation9.6/index.html#!configuration/configuration-file -->
+<!-- WARNING: 1) for AuthZForce compatibility, do not set xInclude property here (do not even set xInclude="false") This would cause an error with XACML Request Attributes/Content XML parsing: net.sf.saxon.s9api.SaxonApiException: 
+   Selected XML parser javax.xml.bind.util.JAXBSource$1 does not recognize request for XInclude processing at net.sf.saxon.s9api.DocumentBuilder.build(DocumentBuilder.java:374) ~[Saxon-HE-9.6.0-5.jar:na] 
+   at org.ow2.authzforce.core.XACMLParsers$FullJaxbXACMLAttributesParserFactory$FullJaxbXACMLAttributesParser.parseContent(XACMLParsers.java:909) ~[classes/:na] -->
 <configuration
    edition="HE"
    xmlns="http://saxon.sf.net/ns/configuration"
@@ -87,7 +92,7 @@
       stylesheetParser="">
    </xslt>
    <xquery
-      version="1.1"
+      version="3.1"
       allowUpdate="false"
       errorListener="net.sf.saxon.StandardErrorListener"
       moduleUriResolver="net.sf.saxon.lib.StandardModuleURIResolver"
@@ -98,12 +103,5 @@
       defaultElementNamespace=""
       preserveBoundarySpace="false"
       requiredContextItemType="document-node()"
-      emptyLeast="true" />
-      <!-- XSD occurrenceLimits property is not considered valid by SAXON 9.6 although it is in the doc:
-      http://www.saxonica.com/documentation9.6/index.html#!configuration/configuration-file/config-xsd 
-      Bug reported here: https://saxonica.plan.io/issues/2731
-      -->
-  <xsd
-      occurrenceLimits="100,250"
-      version="1.1" />    
+      emptyLeast="true" />   
 </configuration>
\ No newline at end of file