Commit 8acc63de authored by cdanger's avatar cdanger
Browse files

- Changed parent version: 7.2.0->7.3.0 (changed SAXON version in

particular)
- Changed PolicyEvaluator interface to add getEnclosedPolicies() in
order to detect duplicate PolicyId/Version
parent f8d4ee8a
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
<parent> <parent>
<groupId>org.ow2.authzforce</groupId> <groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-parent</artifactId> <artifactId>authzforce-ce-parent</artifactId>
<version>7.2.0</version> <version>7.3.0</version>
</parent> </parent>
<artifactId>authzforce-ce-core-pdp-api</artifactId> <artifactId>authzforce-ce-core-pdp-api</artifactId>
<version>15.0.1-SNAPSHOT</version> <version>15.0.1-SNAPSHOT</version>
......
...@@ -22,12 +22,9 @@ import java.util.Optional; ...@@ -22,12 +22,9 @@ import java.util.Optional;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException; import java.util.regex.PatternSyntaxException;
import net.sf.saxon.Version;
import net.sf.saxon.regex.RegularExpression;
import net.sf.saxon.trans.XPathException;
import org.ow2.authzforce.core.pdp.api.EvaluationContext; import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException; import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.XmlUtils;
import org.ow2.authzforce.core.pdp.api.expression.Expression; import org.ow2.authzforce.core.pdp.api.expression.Expression;
import org.ow2.authzforce.core.pdp.api.expression.Expressions; import org.ow2.authzforce.core.pdp.api.expression.Expressions;
import org.ow2.authzforce.core.pdp.api.value.AttributeValue; import org.ow2.authzforce.core.pdp.api.value.AttributeValue;
...@@ -39,6 +36,10 @@ import org.ow2.authzforce.core.pdp.api.value.StringValue; ...@@ -39,6 +36,10 @@ import org.ow2.authzforce.core.pdp.api.value.StringValue;
import org.ow2.authzforce.core.pdp.api.value.Value; import org.ow2.authzforce.core.pdp.api.value.Value;
import org.ow2.authzforce.xacml.identifiers.XacmlStatusCode; import org.ow2.authzforce.xacml.identifiers.XacmlStatusCode;
import net.sf.saxon.Version;
import net.sf.saxon.regex.RegularExpression;
import net.sf.saxon.trans.XPathException;
/** /**
* *-regexp-match function helper * *-regexp-match function helper
* <p> * <p>
...@@ -48,10 +49,8 @@ import org.ow2.authzforce.xacml.identifiers.XacmlStatusCode; ...@@ -48,10 +49,8 @@ import org.ow2.authzforce.xacml.identifiers.XacmlStatusCode;
* <li>{@link Pattern} matches the entire string against the pattern always, whereas <code>xf:matches</code> considers the string to match the pattern if any substring matches the pattern.</li> * <li>{@link Pattern} matches the entire string against the pattern always, whereas <code>xf:matches</code> considers the string to match the pattern if any substring matches the pattern.</li>
* <li><code>xf:matches</code> regular expression syntax is based on XML schema which defines character class substraction using '-' character, whereas {@link Pattern} does not support this syntax but * <li><code>xf:matches</code> regular expression syntax is based on XML schema which defines character class substraction using '-' character, whereas {@link Pattern} does not support this syntax but
* <code>&&[^</code> instead.</li> * <code>&&[^</code> instead.</li>
* <li> * <li>Category escape: can be done in XML SCHEMA with: <code>[\P{X}]</code>. {@link Pattern} only supports this form: <code>[^\p{X}]</code>.</li>
* Category escape: can be done in XML SCHEMA with: <code>[\P{X}]</code>. {@link Pattern} only supports this form: <code>[^\p{X}]</code>.</li> * <li>Character classes: XML schema define categories <code>\c</code> and <code>\C</code>. {@link Pattern} does not support them.</li>
* <li>
* Character classes: XML schema define categories <code>\c</code> and <code>\C</code>. {@link Pattern} does not support them.</li>
* </ul> * </ul>
* EXAMPLE: this regex from XML schema spec uses character class substraction. It is valid for <code>xf:matches</code> but does not compile with {@link Pattern}: * EXAMPLE: this regex from XML schema spec uses character class substraction. It is valid for <code>xf:matches</code> but does not compile with {@link Pattern}:
* *
...@@ -71,7 +70,7 @@ public final class RegexpMatchFunctionHelper ...@@ -71,7 +70,7 @@ public final class RegexpMatchFunctionHelper
private final String funcId; private final String funcId;
private CompiledRegexMatchFunctionCall(final FirstOrderFunctionSignature<BooleanValue> functionSig, final List<Expression<?>> argExpressions, final Datatype<?>[] remainingArgTypes, private CompiledRegexMatchFunctionCall(final FirstOrderFunctionSignature<BooleanValue> functionSig, final List<Expression<?>> argExpressions, final Datatype<?>[] remainingArgTypes,
final RegularExpression compiledRegex, final Datatype<? extends SimpleValue<String>> matchedValueType, final String invalidRemainingArg1TypeMsg) throws IllegalArgumentException final RegularExpression compiledRegex, final Datatype<? extends SimpleValue<String>> matchedValueType, final String invalidRemainingArg1TypeMsg) throws IllegalArgumentException
{ {
super(functionSig, argExpressions, remainingArgTypes); super(functionSig, argExpressions, remainingArgTypes);
this.funcId = functionSig.getName(); this.funcId = functionSig.getName();
...@@ -136,7 +135,7 @@ public final class RegexpMatchFunctionHelper ...@@ -136,7 +135,7 @@ public final class RegexpMatchFunctionHelper
final RegularExpression compiledRegex; final RegularExpression compiledRegex;
try try
{ {
compiledRegex = Version.platform.compileRegularExpression(regex.getUnderlyingValue(), "", "XP20", null); compiledRegex = Version.platform.compileRegularExpression(XmlUtils.SAXON_PROCESSOR.getUnderlyingConfiguration(), regex.getUnderlyingValue(), "", "XP20", null);
} }
catch (final XPathException e) catch (final XPathException e)
{ {
...@@ -206,7 +205,7 @@ public final class RegexpMatchFunctionHelper ...@@ -206,7 +205,7 @@ public final class RegexpMatchFunctionHelper
/* /*
* From Saxon xf:matches() implementation: Matches#evaluateItem() / evalMatches() * From Saxon xf:matches() implementation: Matches#evaluateItem() / evalMatches()
*/ */
compiledRegex = Version.platform.compileRegularExpression(regex, "", "XP20", null); compiledRegex = Version.platform.compileRegularExpression(XmlUtils.SAXON_PROCESSOR.getUnderlyingConfiguration(), regex, "", "XP20", null);
} }
catch (final XPathException e) catch (final XPathException e)
{ {
......
...@@ -21,6 +21,7 @@ ...@@ -21,6 +21,7 @@
package org.ow2.authzforce.core.pdp.api.policy; package org.ow2.authzforce.core.pdp.api.policy;
import java.util.Optional; import java.util.Optional;
import java.util.Set;
import org.ow2.authzforce.core.pdp.api.Decidable; import org.ow2.authzforce.core.pdp.api.Decidable;
import org.ow2.authzforce.core.pdp.api.DecisionResult; import org.ow2.authzforce.core.pdp.api.DecisionResult;
...@@ -89,6 +90,15 @@ public interface PolicyEvaluator extends Decidable ...@@ -89,6 +90,15 @@ public interface PolicyEvaluator extends Decidable
*/ */
PolicyVersion getPolicyVersion(EvaluationContext evaluationCtx) throws IndeterminateEvaluationException; PolicyVersion getPolicyVersion(EvaluationContext evaluationCtx) throws IndeterminateEvaluationException;
/**
* Get metadata about the policies enclosed in the evaluated policy (including itself), i.e. whose actual content is enclosed inside the evaluated policy (as opposed to policy references).
* <p>
* This allows to detect duplicates, i.e. when the same policy (ID and version) is re-used multiple times in the same enclosing policy.
*
* @return the set of enclosed policies, including itself. (May be empty if the policy corresponds to a XACML Policy (no child Policy(Set)s, but never null );
*/
Set<PrimaryPolicyMetadata> getEnclosedPolicies();
/** /**
* Get metadata about the child policy references of the evaluated policy, present iff there is any (e.g. no the case for a XACML Policy element). These metadata may depend on the evaluation * Get metadata about the child policy references of the evaluated policy, present iff there is any (e.g. no the case for a XACML Policy element). These metadata may depend on the evaluation
* context in case of a Policy(Set)IdReference evaluator when using dynamic aka context-dependent {@link RefPolicyProvider} that resolve policy references at evaluation time based on the context, * context in case of a Policy(Set)IdReference evaluator when using dynamic aka context-dependent {@link RefPolicyProvider} that resolve policy references at evaluation time based on the context,
......
...@@ -67,4 +67,5 @@ public interface PrimaryPolicyMetadata ...@@ -67,4 +67,5 @@ public interface PrimaryPolicyMetadata
* @return description * @return description
*/ */
Optional<String> getDescription(); Optional<String> getDescription();
} }
...@@ -28,4 +28,5 @@ package org.ow2.authzforce.core.pdp.api.policy; ...@@ -28,4 +28,5 @@ package org.ow2.authzforce.core.pdp.api.policy;
public interface StaticTopLevelPolicyElementEvaluator extends StaticPolicyEvaluator, TopLevelPolicyElementEvaluator public interface StaticTopLevelPolicyElementEvaluator extends StaticPolicyEvaluator, TopLevelPolicyElementEvaluator
{ {
// Merge of StaticPolicyEvaluator and TopLevelPolicyElementEvaluator // Merge of StaticPolicyEvaluator and TopLevelPolicyElementEvaluator
} }
...@@ -46,7 +46,7 @@ public final class DnsNameWithPortRangeValue extends StringParseableValue<String ...@@ -46,7 +46,7 @@ public final class DnsNameWithPortRangeValue extends StringParseableValue<String
static static
{ {
/* /*
* Limit repetitions in regex to mitiate Regex DoS attacks * Limit repetitions in regex to mitigate Regex DoS attacks
*/ */
final String domainlabel = "\\w[[\\w|\\-]{0,1000}\\w]?"; final String domainlabel = "\\w[[\\w|\\-]{0,1000}\\w]?";
final String toplabel = "[a-zA-Z][[\\w|\\-]{0,1000}\\w]?"; final String toplabel = "[a-zA-Z][[\\w|\\-]{0,1000}\\w]?";
...@@ -101,7 +101,8 @@ public final class DnsNameWithPortRangeValue extends StringParseableValue<String ...@@ -101,7 +101,8 @@ public final class DnsNameWithPortRangeValue extends StringParseableValue<String
// there is no port/portRange, so just use the name // there is no port/portRange, so just use the name
host = dnsName; host = dnsName;
range = NetworkPortRange.MAX; range = NetworkPortRange.MAX;
} else }
else
{ {
// split the name and the port/portRange // split the name and the port/portRange
host = dnsName.substring(0, portSep); host = dnsName.substring(0, portSep);
......
<?xml version="1.0"?> <?xml version="1.0"?>
<!-- Many of the options included here are defaults, and do not need to be specified in a real configuration file. They are provided for convenience of editing, so
it is easy to set up a configuration file with non-default options. For documentation on the contents of a Saxon configuration file, see http://www.saxonica.com/documentation9.6/index.html#!configuration/configuration-file -->
<!-- WARNING: 1) for AuthZForce compatibility, do not set xInclude property here (do not even set xInclude="false") This would cause an error with XACML Request Attributes/Content XML parsing: net.sf.saxon.s9api.SaxonApiException:
Selected XML parser javax.xml.bind.util.JAXBSource$1 does not recognize request for XInclude processing at net.sf.saxon.s9api.DocumentBuilder.build(DocumentBuilder.java:374) ~[Saxon-HE-9.6.0-5.jar:na]
at org.ow2.authzforce.core.XACMLParsers$FullJaxbXACMLAttributesParserFactory$FullJaxbXACMLAttributesParser.parseContent(XACMLParsers.java:909) ~[classes/:na] -->
<configuration <configuration
edition="HE" edition="HE"
xmlns="http://saxon.sf.net/ns/configuration" xmlns="http://saxon.sf.net/ns/configuration"
...@@ -87,7 +92,7 @@ ...@@ -87,7 +92,7 @@
stylesheetParser=""> stylesheetParser="">
</xslt> </xslt>
<xquery <xquery
version="1.1" version="3.1"
allowUpdate="false" allowUpdate="false"
errorListener="net.sf.saxon.StandardErrorListener" errorListener="net.sf.saxon.StandardErrorListener"
moduleUriResolver="net.sf.saxon.lib.StandardModuleURIResolver" moduleUriResolver="net.sf.saxon.lib.StandardModuleURIResolver"
...@@ -98,12 +103,5 @@ ...@@ -98,12 +103,5 @@
defaultElementNamespace="" defaultElementNamespace=""
preserveBoundarySpace="false" preserveBoundarySpace="false"
requiredContextItemType="document-node()" requiredContextItemType="document-node()"
emptyLeast="true" /> emptyLeast="true" />
<!-- XSD occurrenceLimits property is not considered valid by SAXON 9.6 although it is in the doc:
http://www.saxonica.com/documentation9.6/index.html#!configuration/configuration-file/config-xsd
Bug reported here: https://saxonica.plan.io/issues/2731
-->
<xsd
occurrenceLimits="100,250"
version="1.1" />
</configuration> </configuration>
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment