Commit 323acc4b authored by cdanger's avatar cdanger

API changes:

- AttributeProvider: get(..., BagDatatype datatype, ...) -> get(...,
Datatype datatype, ...)
- EvaluationContext: getNamedAttributeValue(AttributeFqn, BagDatatype)
-> getNamedAttributeValue(AttributeFqn, Datatype)
parent 3975a717
......@@ -19,7 +19,7 @@ package org.ow2.authzforce.core.pdp.api;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.AttributeValue;
import org.ow2.authzforce.core.pdp.api.value.BagDatatype;
import org.ow2.authzforce.core.pdp.api.value.Datatype;
/**
* Attribute provider used to resolve {@link oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeDesignatorType}s in a specific way (e.g. from a specific attribute source)
......@@ -35,13 +35,14 @@ public interface AttributeProvider
* the global identifier (Category,Issuer,AttributeId) of the attribute to find
* @param context
* the request context
* @param returnDatatype
* attribute bag datatype
* @param datatype
* attribute datatype
* @return the result of retrieving the attribute, which will be a bag of values of type defined by {@code returnDatatype}; empty bag iff no value found and no error occurred.
* @throws UnsupportedOperationException {@code attributeFQN} or {@code returnDatatype} are not supported (the PDP engine should try another attribute provider if any)
* @throws UnsupportedOperationException
* {@code attributeFQN} or {@code returnDatatype} are not supported (the PDP engine should try another attribute provider if any)
* @throws IndeterminateEvaluationException
* {@code attributeFQN} or {@code returnDatatype} are supported but some error occurred while trying to resolve the attribute value(s)
*/
<AV extends AttributeValue> AttributeBag<AV> get(AttributeFqn attributeFQN, BagDatatype<AV> returnDatatype, EvaluationContext context) throws IndeterminateEvaluationException;
<AV extends AttributeValue> AttributeBag<AV> get(AttributeFqn attributeFQN, Datatype<AV> datatype, EvaluationContext context) throws IndeterminateEvaluationException;
}
......@@ -21,18 +21,17 @@ import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Optional;
import net.sf.saxon.s9api.XdmNode;
import org.ow2.authzforce.core.pdp.api.expression.AttributeDesignatorExpression;
import org.ow2.authzforce.core.pdp.api.expression.AttributeSelectorExpression;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.AttributeValue;
import org.ow2.authzforce.core.pdp.api.value.Bag;
import org.ow2.authzforce.core.pdp.api.value.BagDatatype;
import org.ow2.authzforce.core.pdp.api.value.Datatype;
import org.ow2.authzforce.core.pdp.api.value.Value;
import org.ow2.authzforce.core.pdp.api.value.XPathValue;
import net.sf.saxon.s9api.XdmNode;
/**
* Manages context for the policy evaluation of a given authorization decision request. Typically, an instance of this is instantiated whenever the PDP gets a request and needs to perform an
* evaluation to a authorization decision. Such a context is used and possibly updated all along the evaluation of the request.
......@@ -60,7 +59,7 @@ public interface EvaluationContext
<AV extends AttributeValue> void namedAttributeValueProduced(AttributeFqn attributeFQN, AttributeBag<AV> value);
/**
* To be called when {@link EvaluationContext#getNamedAttributeValue(AttributeFqn, BagDatatype)} is called
* To be called when {@link EvaluationContext#getNamedAttributeValue(AttributeFqn, Datatype)} is called
*
* @param attributeFQN
* attribute GUID (global ID = Category,Issuer,AttributeId)
......@@ -100,19 +99,19 @@ public interface EvaluationContext
*
* @param attributeFQN
* attribute GUID (global ID = Category,Issuer,AttributeId)
* @param returnDatatype
* attribute value bag datatype
* @param datatype
* attribute value datatype
*
* @return attribute value(s), null iff attribute unknown (not set) in this context, empty if attribute known in this context but no value
* @throws IndeterminateEvaluationException
* if error occurred trying to determine the attribute value(s) in context. This is different from finding without error that the attribute is not in the context (and/or no value),
* e.g. if there is a result but type is different from {@code attributeDatatype}.
*/
<AV extends AttributeValue> AttributeBag<AV> getNamedAttributeValue(AttributeFqn attributeFQN, BagDatatype<AV> returnDatatype) throws IndeterminateEvaluationException;
<AV extends AttributeValue> AttributeBag<AV> getNamedAttributeValue(AttributeFqn attributeFQN, Datatype<AV> datatype) throws IndeterminateEvaluationException;
/**
* Get immutable iterator over the context attributes. DO NOT ever use this method to retrieve one or more specific attributes, in which case you must use
* {@link #getNamedAttributeValue(AttributeFqn, BagDatatype)} instead. This is only for iterating over all the attributes, e.g. for debugging/auditing.
* {@link #getNamedAttributeValue(AttributeFqn, Datatype)} instead. This is only for iterating over all the attributes, e.g. for debugging/auditing.
*
* @return context attributes iterator (implementations must guarantee that the iterator is immutable, i.e. does not allow changing the internal context)
*/
......@@ -121,7 +120,7 @@ public interface EvaluationContext
/**
* Put Attribute values in the context, only if the attribute is not already known to this context. Indeed, an attribute value cannot be overridden once it is set in the context to comply with
* 7.3.5 Attribute retrieval: "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated
* in the context before it is first tested, and is thereafter immutable during evaluation." Therefore, {@link #getNamedAttributeValue(AttributeFqn, BagDatatype)} should be called always before
* in the context before it is first tested, and is thereafter immutable during evaluation." Therefore, {@link #getNamedAttributeValue(AttributeFqn, Datatype)} should be called always before
* calling this, for the same {@code attributeFQN}
*
* @param attributeFQN
......
......@@ -551,14 +551,14 @@ public final class FirstOrderBagFunctions
{
final BagDatatype<AV> paramBagType = paramType.getBagDatatype();
final Class<AV[]> paramArrayClass = paramType.getArrayClass();
return HashCollections.<Function<?>> newImmutableSet(new Function[] {
/**
*
* Single-bag function group, i.e. group of bag functions that takes only one bag as parameter, or no bag parameter but returns a bag. Defined in section A.3.10. As opposed to Set functions
* that takes multiple bags as parameters.
*
*/
new SingletonBagToPrimitive<>(paramType, paramBagType), new BagSize<>(paramBagType), new BagContains<>(paramType, paramBagType, paramArrayClass),
return HashCollections.<Function<?>>newImmutableSet(new Function[] {
/**
*
* Single-bag function group, i.e. group of bag functions that takes only one bag as parameter, or no bag parameter but returns a bag. Defined in section A.3.10. As opposed to Set
* functions that takes multiple bags as parameters.
*
*/
new SingletonBagToPrimitive<>(paramType, paramBagType), new BagSize<>(paramBagType), new BagContains<>(paramType, paramBagType, paramArrayClass),
new PrimitiveToBag<>(paramType, paramBagType),
/**
*
......
......@@ -30,18 +30,6 @@ import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
import javax.xml.transform.dom.DOMResult;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Advice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AssociatedAdvice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligation;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligations;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicyIdentifierList;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Result;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Status;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.StatusDetail;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor;
import org.ow2.authzforce.core.pdp.api.ImmutablePepActions;
......@@ -55,6 +43,18 @@ import org.w3c.dom.Element;
import com.google.common.collect.ImmutableList;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Advice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AssociatedAdvice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligation;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligations;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicyIdentifierList;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Result;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Status;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.StatusDetail;
/**
* Convenient base class for {@link DecisionResultPostprocessor} implementations supporting core XACML-schema-defined XML output handled by JAXB framework
*
......@@ -64,8 +64,15 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
private static final IllegalArgumentException ILLEGAL_RESULTS_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined resultsByRequest arg");
private static final IllegalArgumentException ILLEGAL_ERROR_ARG_EXCEPTION = new IllegalArgumentException("Undefined input error arg");
protected static Result convert(final IndividualXacmlJaxbRequest request, final DecisionResult result)
{
/**
* Convert AuthzForce-specific {@link DecisionResult} to XACML {@link Result}
*
* @param request
* request corresponding to result; iff null, some content from it, esp. the list of {@link oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes}, is included in {@code result}
* @param result
* @return XACML Result
*/
public static final Result convert(final IndividualXacmlJaxbRequest request, final DecisionResult result) {
final ImmutablePepActions pepActions = result.getPepActions();
final List<Obligation> obligationList;
final List<Advice> adviceList;
......@@ -73,8 +80,7 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
{
obligationList = Collections.emptyList();
adviceList = Collections.emptyList();
}
else
} else
{
obligationList = pepActions.getObligatory();
adviceList = pepActions.getAdvisory();
......@@ -85,15 +91,15 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
if (applicablePolicies == null || applicablePolicies.isEmpty())
{
jaxbPolicyIdentifiers = null;
}
else
} else
{
final List<JAXBElement<IdReferenceType>> jaxbPolicyIdRefs = new ArrayList<>();
for (final PrimaryPolicyMetadata applicablePolicy : applicablePolicies)
{
final IdReferenceType jaxbIdRef = new IdReferenceType(applicablePolicy.getId(), applicablePolicy.getVersion().toString(), null, null);
final JAXBElement<IdReferenceType> jaxbPolicyIdRef = applicablePolicy.getType() == TopLevelPolicyElementType.POLICY ? Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY
.createPolicyIdReference(jaxbIdRef) : Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY.createPolicySetIdReference(jaxbIdRef);
final JAXBElement<IdReferenceType> jaxbPolicyIdRef = applicablePolicy.getType() == TopLevelPolicyElementType.POLICY
? Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY.createPolicyIdReference(jaxbIdRef)
: Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY.createPolicySetIdReference(jaxbIdRef);
jaxbPolicyIdRefs.add(jaxbPolicyIdRef);
}
......@@ -101,12 +107,11 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
}
return new Result(result.getDecision(), result.getStatus(), obligationList.isEmpty() ? null : new Obligations(obligationList), adviceList.isEmpty() ? null : new AssociatedAdvice(adviceList),
request.getAttributesToBeReturned(), jaxbPolicyIdentifiers);
request == null ? null : request.getAttributesToBeReturned(), jaxbPolicyIdentifiers);
}
private static void addStatusMessageForEachCause(final Throwable cause, final int currentCauseDepth, final int maxIncludedCauseDepth, final List<Element> statusDetailElements,
final Marshaller xacml3Marshaller) throws JAXBException
{
final Marshaller xacml3Marshaller) throws JAXBException {
if (cause == null)
{
return;
......@@ -150,20 +155,17 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
}
@Override
public final Class<IndividualXacmlJaxbRequest> getRequestType()
{
public final Class<IndividualXacmlJaxbRequest> getRequestType() {
return IndividualXacmlJaxbRequest.class;
}
@Override
public final Class<Response> getResponseType()
{
public final Class<Response> getResponseType() {
return Response.class;
}
@Override
public Response process(final Collection<Entry<IndividualXacmlJaxbRequest, ? extends DecisionResult>> resultsByRequest)
{
public Response process(final Collection<Entry<IndividualXacmlJaxbRequest, ? extends DecisionResult>> resultsByRequest) {
if (resultsByRequest == null)
{
throw ILLEGAL_RESULTS_ARGUMENT_EXCEPTION;
......@@ -174,8 +176,7 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
}
@Override
public Response processClientError(final IndeterminateEvaluationException error)
{
public Response processClientError(final IndeterminateEvaluationException error) {
if (error == null)
{
throw ILLEGAL_ERROR_ARG_EXCEPTION;
......@@ -185,8 +186,7 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
if (maxDepthOfErrorCauseIncludedInResult == 0)
{
finalStatus = error.getTopLevelStatus();
}
else
} else
{
/*
* Get Status with detailed cause description. The resulting status contains a StatusDetail element with a list of StatusMessage elements. The nth StatusMessage contains the message of the
......@@ -201,8 +201,7 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
try
{
marshaller = Xacml3JaxbHelper.createXacml3Marshaller();
}
catch (final JAXBException e)
} catch (final JAXBException e)
{
// Should not happen
throw new RuntimeException("Failed to create XACML/JAXB marshaller to marshall IndeterminateEvaluationException causes into StatusDetail/StatusMessages of Indeterminate Result", e);
......@@ -211,8 +210,7 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
try
{
addStatusMessageForEachCause(error.getCause(), 1, maxDepthOfErrorCauseIncludedInResult, statusDetailElements, marshaller);
}
catch (final JAXBException e)
} catch (final JAXBException e)
{
// Should not happen
throw new RuntimeException("Failed to marshall IndeterminateEvaluationException causes into StatusDetail/StatusMessages of Indeterminate Result", e);
......@@ -226,8 +224,7 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
}
@Override
public Response processInternalError(final IndeterminateEvaluationException error)
{
public Response processInternalError(final IndeterminateEvaluationException error) {
if (error == null)
{
throw ILLEGAL_ERROR_ARG_EXCEPTION;
......@@ -253,20 +250,17 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
}
@Override
public final String getId()
{
public final String getId() {
return id;
}
@Override
public final Class<IndividualXacmlJaxbRequest> getRequestType()
{
public final Class<IndividualXacmlJaxbRequest> getRequestType() {
return IndividualXacmlJaxbRequest.class;
}
@Override
public final Class<Response> getResponseType()
{
public final Class<Response> getResponseType() {
return Response.class;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment