Commit 7097f281 authored by cdanger's avatar cdanger

Merge branch 'develop' of https://github.com/authzforce/core-pdp-api.git into develop

parents 54b7aa83 b2463aab
......@@ -2,6 +2,14 @@
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions. This project adheres to [Semantic Versioning](http://semver.org).
## 14.0.0
### Changed
- Interface method DecisionCache.Factory#getInstance(...): added EnvironmentProperties parameter to allow passing environment properties to DecisionCache implementations
- Interface method AttributeProvider#get(...): replaced parameter type BagDatatype with Datatype to simplify AttributeProviders' code
- Interface method EvaluationContext#getNamedAttributeValue(...): replaced parameter type BagDatatype with Datatype to simplify AttributeProviders' code
- Class VersionPatterns renamed to PolicyVersionPatterns because depends on PolicyVersionPattern (with no 's') class
## 13.0.0
### Changed
- Updated authzforce-ce-parent version: 7.1.0 -> 7.2.0:
......
......@@ -6,7 +6,7 @@
<version>7.2.0</version>
</parent>
<artifactId>authzforce-ce-core-pdp-api</artifactId>
<version>13.0.1-SNAPSHOT</version>
<version>14.0.1-SNAPSHOT</version>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthzForce - Core PDP API</description>
<url>${project.url}</url>
......
......@@ -19,7 +19,7 @@ package org.ow2.authzforce.core.pdp.api;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.AttributeValue;
import org.ow2.authzforce.core.pdp.api.value.BagDatatype;
import org.ow2.authzforce.core.pdp.api.value.Datatype;
/**
* Attribute provider used to resolve {@link oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeDesignatorType}s in a specific way (e.g. from a specific attribute source)
......@@ -35,13 +35,14 @@ public interface AttributeProvider
* the global identifier (Category,Issuer,AttributeId) of the attribute to find
* @param context
* the request context
* @param returnDatatype
* attribute bag datatype
* @param datatype
* attribute datatype
* @return the result of retrieving the attribute, which will be a bag of values of type defined by {@code returnDatatype}; empty bag iff no value found and no error occurred.
* @throws UnsupportedOperationException {@code attributeFQN} or {@code returnDatatype} are not supported (the PDP engine should try another attribute provider if any)
* @throws UnsupportedOperationException
* {@code attributeFQN} or {@code returnDatatype} are not supported (the PDP engine should try another attribute provider if any)
* @throws IndeterminateEvaluationException
* {@code attributeFQN} or {@code returnDatatype} are supported but some error occurred while trying to resolve the attribute value(s)
*/
<AV extends AttributeValue> AttributeBag<AV> get(AttributeFqn attributeFQN, BagDatatype<AV> returnDatatype, EvaluationContext context) throws IndeterminateEvaluationException;
<AV extends AttributeValue> AttributeBag<AV> get(AttributeFqn attributeFQN, Datatype<AV> datatype, EvaluationContext context) throws IndeterminateEvaluationException;
}
......@@ -48,9 +48,11 @@ public interface DecisionCache extends Closeable
*
* @param conf
* extension parameters
* @param envProps
* environment properties
* @return instance of extension
*/
public abstract DecisionCache getInstance(CONF_T conf);
public abstract DecisionCache getInstance(CONF_T conf, EnvironmentProperties envProps);
}
/**
......@@ -70,7 +72,8 @@ public interface DecisionCache extends Closeable
* @param evalCtx
* evaluation context that can be used to save context about any partial/preliminary evaluation done by this decision cache when there is no cached result for {code request} yet. In
* this case, the PDP will call back {@link DecisionCache#put(DecisionRequest, DecisionResult, EvaluationContext)} with this same {@code evalCtx} after the PDP has computed the new
* result. Therefore, this allows the decision cache to reuse some context during an evaluation, and also to do some evaluation itself.
* result. Therefore, this allows the decision cache to reuse some context during an evaluation, and also to do some evaluation itself. This argument may be null if not required, i.e.
* {@link #isEvaluationContextRequired()} returns false.
* @return the corresponding decision result from cache; null if there is no such result in cache.
*/
DecisionResult get(DecisionRequest request, EvaluationContext evalCtx);
......@@ -96,7 +99,7 @@ public interface DecisionCache extends Closeable
* the corresponding decision result
* @param evalCtx
* evaluation context that can be used to retrieve context about any partial/preliminary evaluation done by this decision cache when {@link #get(DecisionRequest, EvaluationContext)} was
* called in the same request context.
* called in the same request context. This argument may be null if not required, i.e. {@link #isEvaluationContextRequired()} returns false.
*/
void put(DecisionRequest request, DecisionResult result, EvaluationContext evalCtx);
......
......@@ -26,7 +26,6 @@ import org.ow2.authzforce.core.pdp.api.expression.AttributeSelectorExpression;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.AttributeValue;
import org.ow2.authzforce.core.pdp.api.value.Bag;
import org.ow2.authzforce.core.pdp.api.value.BagDatatype;
import org.ow2.authzforce.core.pdp.api.value.Datatype;
import org.ow2.authzforce.core.pdp.api.value.Value;
import org.ow2.authzforce.core.pdp.api.value.XPathValue;
......@@ -60,7 +59,7 @@ public interface EvaluationContext
<AV extends AttributeValue> void namedAttributeValueProduced(AttributeFqn attributeFQN, AttributeBag<AV> value);
/**
* To be called when {@link EvaluationContext#getNamedAttributeValue(AttributeFqn, BagDatatype)} is called
* To be called when {@link EvaluationContext#getNamedAttributeValue(AttributeFqn, Datatype)} is called
*
* @param attributeFQN
* attribute GUID (global ID = Category,Issuer,AttributeId)
......@@ -100,19 +99,19 @@ public interface EvaluationContext
*
* @param attributeFQN
* attribute GUID (global ID = Category,Issuer,AttributeId)
* @param returnDatatype
* attribute value bag datatype
* @param datatype
* attribute value datatype
*
* @return attribute value(s), null iff attribute unknown (not set) in this context, empty if attribute known in this context but no value
* @throws IndeterminateEvaluationException
* if error occurred trying to determine the attribute value(s) in context. This is different from finding without error that the attribute is not in the context (and/or no value),
* e.g. if there is a result but type is different from {@code attributeDatatype}.
*/
<AV extends AttributeValue> AttributeBag<AV> getNamedAttributeValue(AttributeFqn attributeFQN, BagDatatype<AV> returnDatatype) throws IndeterminateEvaluationException;
<AV extends AttributeValue> AttributeBag<AV> getNamedAttributeValue(AttributeFqn attributeFQN, Datatype<AV> datatype) throws IndeterminateEvaluationException;
/**
* Get immutable iterator over the context attributes. DO NOT ever use this method to retrieve one or more specific attributes, in which case you must use
* {@link #getNamedAttributeValue(AttributeFqn, BagDatatype)} instead. This is only for iterating over all the attributes, e.g. for debugging/auditing.
* {@link #getNamedAttributeValue(AttributeFqn, Datatype)} instead. This is only for iterating over all the attributes, e.g. for debugging/auditing.
*
* @return context attributes iterator (implementations must guarantee that the iterator is immutable, i.e. does not allow changing the internal context)
*/
......@@ -121,7 +120,7 @@ public interface EvaluationContext
/**
* Put Attribute values in the context, only if the attribute is not already known to this context. Indeed, an attribute value cannot be overridden once it is set in the context to comply with
* 7.3.5 Attribute retrieval: "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated
* in the context before it is first tested, and is thereafter immutable during evaluation." Therefore, {@link #getNamedAttributeValue(AttributeFqn, BagDatatype)} should be called always before
* in the context before it is first tested, and is thereafter immutable during evaluation." Therefore, {@link #getNamedAttributeValue(AttributeFqn, Datatype)} should be called always before
* calling this, for the same {@code attributeFQN}
*
* @param attributeFQN
......
......@@ -551,14 +551,14 @@ public final class FirstOrderBagFunctions
{
final BagDatatype<AV> paramBagType = paramType.getBagDatatype();
final Class<AV[]> paramArrayClass = paramType.getArrayClass();
return HashCollections.<Function<?>> newImmutableSet(new Function[] {
/**
*
* Single-bag function group, i.e. group of bag functions that takes only one bag as parameter, or no bag parameter but returns a bag. Defined in section A.3.10. As opposed to Set functions
* that takes multiple bags as parameters.
*
*/
new SingletonBagToPrimitive<>(paramType, paramBagType), new BagSize<>(paramBagType), new BagContains<>(paramType, paramBagType, paramArrayClass),
return HashCollections.<Function<?>>newImmutableSet(new Function[] {
/**
*
* Single-bag function group, i.e. group of bag functions that takes only one bag as parameter, or no bag parameter but returns a bag. Defined in section A.3.10. As opposed to Set
* functions that takes multiple bags as parameters.
*
*/
new SingletonBagToPrimitive<>(paramType, paramBagType), new BagSize<>(paramBagType), new BagContains<>(paramType, paramBagType, paramArrayClass),
new PrimitiveToBag<>(paramType, paramBagType),
/**
*
......
......@@ -21,13 +21,6 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attribute;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestDefaults;
import org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor;
import org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
......@@ -40,6 +33,13 @@ import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry;
import org.ow2.authzforce.xacml.identifiers.XacmlStatusCode;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attribute;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestDefaults;
/**
* Convenient base class for {@link DecisionRequestPreprocessor} implementations supporting core XACML-schema-defined XML input handled by JAXB framework
*
......@@ -109,18 +109,20 @@ public abstract class BaseXacmlJaxbRequestPreprocessor implements DecisionReques
final NamedXacmlAttributeParser<Attribute> namedXacmlAttParser = new NamedXacmlJaxbAttributeParser(attributeValueFactoryRegistry);
if (allowAttributeDuplicates)
{
final XacmlRequestAttributeParser<Attribute, MutableAttributeBag<?>> xacmlAttributeParser = strictAttributeIssuerMatch ? new NonIssuedLikeIssuedLaxXacmlAttributeParser<>(
namedXacmlAttParser) : new IssuedToNonIssuedCopyingLaxXacmlAttributeParser<>(namedXacmlAttParser);
this.xacmlAttrsParserFactory = requireContentForXPath ? new FullXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser,
SingleCategoryAttributes.MUTABLE_TO_CONSTANT_ATTRIBUTE_ITERATOR_CONVERTER, xmlProcessor) : new ContentSkippingXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser,
SingleCategoryAttributes.MUTABLE_TO_CONSTANT_ATTRIBUTE_ITERATOR_CONVERTER);
final XacmlRequestAttributeParser<Attribute, MutableAttributeBag<?>> xacmlAttributeParser = strictAttributeIssuerMatch
? new NonIssuedLikeIssuedLaxXacmlAttributeParser<>(namedXacmlAttParser)
: new IssuedToNonIssuedCopyingLaxXacmlAttributeParser<>(namedXacmlAttParser);
this.xacmlAttrsParserFactory = requireContentForXPath
? new FullXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.MUTABLE_TO_CONSTANT_ATTRIBUTE_ITERATOR_CONVERTER, xmlProcessor)
: new ContentSkippingXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.MUTABLE_TO_CONSTANT_ATTRIBUTE_ITERATOR_CONVERTER);
}
else // allowAttributeDuplicates == false
if (strictAttributeIssuerMatch)
{
final XacmlRequestAttributeParser<Attribute, AttributeBag<?>> xacmlAttributeParser = new NonIssuedLikeIssuedStrictXacmlAttributeParser<>(namedXacmlAttParser);
this.xacmlAttrsParserFactory = requireContentForXPath ? new FullXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.IDENTITY_ATTRIBUTE_ITERATOR_CONVERTER,
xmlProcessor) : new ContentSkippingXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.IDENTITY_ATTRIBUTE_ITERATOR_CONVERTER);
this.xacmlAttrsParserFactory = requireContentForXPath
? new FullXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.IDENTITY_ATTRIBUTE_ITERATOR_CONVERTER, xmlProcessor)
: new ContentSkippingXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.IDENTITY_ATTRIBUTE_ITERATOR_CONVERTER);
}
else
{
......
......@@ -30,18 +30,6 @@ import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
import javax.xml.transform.dom.DOMResult;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Advice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AssociatedAdvice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligation;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligations;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicyIdentifierList;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Result;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Status;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.StatusDetail;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor;
import org.ow2.authzforce.core.pdp.api.ImmutablePepActions;
......@@ -55,6 +43,18 @@ import org.w3c.dom.Element;
import com.google.common.collect.ImmutableList;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Advice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AssociatedAdvice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligation;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligations;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicyIdentifierList;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Result;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Status;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.StatusDetail;
/**
* Convenient base class for {@link DecisionResultPostprocessor} implementations supporting core XACML-schema-defined XML output handled by JAXB framework
*
......@@ -64,7 +64,15 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
private static final IllegalArgumentException ILLEGAL_RESULTS_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined resultsByRequest arg");
private static final IllegalArgumentException ILLEGAL_ERROR_ARG_EXCEPTION = new IllegalArgumentException("Undefined input error arg");
protected static Result convert(final IndividualXacmlJaxbRequest request, final DecisionResult result)
/**
* Convert AuthzForce-specific {@link DecisionResult} to XACML {@link Result}
*
* @param request
* request corresponding to result; iff null, some content from it, esp. the list of {@link oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes}, is included in {@code result}
* @param result
* @return XACML Result
*/
public static final Result convert(final IndividualXacmlJaxbRequest request, final DecisionResult result)
{
final ImmutablePepActions pepActions = result.getPepActions();
final List<Obligation> obligationList;
......@@ -92,8 +100,9 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
for (final PrimaryPolicyMetadata applicablePolicy : applicablePolicies)
{
final IdReferenceType jaxbIdRef = new IdReferenceType(applicablePolicy.getId(), applicablePolicy.getVersion().toString(), null, null);
final JAXBElement<IdReferenceType> jaxbPolicyIdRef = applicablePolicy.getType() == TopLevelPolicyElementType.POLICY ? Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY
.createPolicyIdReference(jaxbIdRef) : Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY.createPolicySetIdReference(jaxbIdRef);
final JAXBElement<IdReferenceType> jaxbPolicyIdRef = applicablePolicy.getType() == TopLevelPolicyElementType.POLICY
? Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY.createPolicyIdReference(jaxbIdRef)
: Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY.createPolicySetIdReference(jaxbIdRef);
jaxbPolicyIdRefs.add(jaxbPolicyIdRef);
}
......@@ -101,7 +110,7 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
}
return new Result(result.getDecision(), result.getStatus(), obligationList.isEmpty() ? null : new Obligations(obligationList), adviceList.isEmpty() ? null : new AssociatedAdvice(adviceList),
request.getAttributesToBeReturned(), jaxbPolicyIdentifiers);
request == null ? null : request.getAttributesToBeReturned(), jaxbPolicyIdentifiers);
}
private static void addStatusMessageForEachCause(final Throwable cause, final int currentCauseDepth, final int maxIncludedCauseDepth, final List<Element> statusDetailElements,
......@@ -238,10 +247,8 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
}
/**
*
* Factory for this type of result postprocessor that allows duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request (complying with XACML 3.0 core
* spec, §7.3.3).
*
* Convenient base class for {@link org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor.Factory} implementations supporting core XACML-schema-defined XML output handled by JAXB framework
*
*/
public static abstract class Factory implements DecisionResultPostprocessor.Factory<IndividualXacmlJaxbRequest, Response>
{
......
......@@ -3,17 +3,17 @@
*
* This file is part of AuthzForce CE.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.ow2.authzforce.core.pdp.api.policy;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment