Commit 93d52fa1 authored by cdanger's avatar cdanger

Merge branch 'release/14.0.0'

parents 613b9657 5e346a31
......@@ -2,6 +2,14 @@
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions. This project adheres to [Semantic Versioning](http://semver.org).
## 14.0.0
### Changed
- Interface method DecisionCache.Factory#getInstance(...): added EnvironmentProperties parameter to allow passing environment properties to DecisionCache implementations
- Interface method AttributeProvider#get(...): replaced parameter type BagDatatype with Datatype to simplify AttributeProviders' code
- Interface method EvaluationContext#getNamedAttributeValue(...): replaced parameter type BagDatatype with Datatype to simplify AttributeProviders' code
- Class VersionPatterns renamed to PolicyVersionPatterns because depends on PolicyVersionPattern (with no 's') class
## 13.0.0
### Changed
- Updated authzforce-ce-parent version: 7.1.0 -> 7.2.0:
......
......@@ -6,7 +6,7 @@
<version>7.2.0</version>
</parent>
<artifactId>authzforce-ce-core-pdp-api</artifactId>
<version>13.0.0</version>
<version>14.0.0</version>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthzForce - Core PDP API</description>
<url>${project.url}</url>
......
......@@ -127,7 +127,9 @@ public final class AttributeFqns
{
if (toString == null)
{
toString = "[category='" + category + "', issuer=" + getIssuer() + ", id='" + id + "']";
final Optional<String> optIssuer = getIssuer();
toString = "[category='" + category + "', issuer=" + (optIssuer.isPresent() ? "'" + optIssuer.get() + "'" : null) + ", id='" + id + "']";
}
return toString;
......
......@@ -19,7 +19,7 @@ package org.ow2.authzforce.core.pdp.api;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.AttributeValue;
import org.ow2.authzforce.core.pdp.api.value.BagDatatype;
import org.ow2.authzforce.core.pdp.api.value.Datatype;
/**
* Attribute provider used to resolve {@link oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeDesignatorType}s in a specific way (e.g. from a specific attribute source)
......@@ -34,13 +34,15 @@ public interface AttributeProvider
* @param attributeFQN
* the global identifier (Category,Issuer,AttributeId) of the attribute to find
* @param context
* the representation of the request data
* @param returnDatatype
* attribute value bag datatype
* @return the result of retrieving the attribute, which will be a bag of values of type defined by {@code attributeDatatype}; empty bag iff no value found and no error occurred.
* the request context
* @param datatype
* attribute datatype
* @return the result of retrieving the attribute, which will be a bag of values of type defined by {@code returnDatatype}; empty bag iff no value found and no error occurred.
* @throws UnsupportedOperationException
* {@code attributeFQN} or {@code returnDatatype} are not supported (the PDP engine should try another attribute provider if any)
* @throws IndeterminateEvaluationException
* if any error finding the attribute value(s)
* {@code attributeFQN} or {@code returnDatatype} are supported but some error occurred while trying to resolve the attribute value(s)
*/
<AV extends AttributeValue> AttributeBag<AV> get(AttributeFqn attributeFQN, BagDatatype<AV> returnDatatype, EvaluationContext context) throws IndeterminateEvaluationException;
<AV extends AttributeValue> AttributeBag<AV> get(AttributeFqn attributeFQN, Datatype<AV> datatype, EvaluationContext context) throws IndeterminateEvaluationException;
}
......@@ -23,10 +23,6 @@ package org.ow2.authzforce.core.pdp.api;
public abstract class BaseDesignatedAttributeProvider implements CloseableDesignatedAttributeProvider
{
protected static final UnsupportedOperationException UNSUPPORTED_ATTRIBUTE_CATEGORY_EXCEPTION = new UnsupportedOperationException("Unsupported attribute category");
protected static final UnsupportedOperationException UNSUPPORTED_ATTRIBUTE_ISSUER_EXCEPTION = new UnsupportedOperationException("Unsupported attribute issuer");
protected static final UnsupportedOperationException UNSUPPORTED_ATTRIBUTE_ID_EXCEPTION = new UnsupportedOperationException("Unsupported attribute ID");
protected static final UnsupportedOperationException UNSUPPORTED_ATTRIBUTE_DATATYPE_EXCEPTION = new UnsupportedOperationException("Unsupported attribute datetype");
private static final IllegalArgumentException UNDEF_INSTANCE_ID = new IllegalArgumentException("Undefined Attribute Provider's instance ID");
private final String instanceID;
......
......@@ -48,9 +48,10 @@ public interface DecisionCache extends Closeable
*
* @param conf
* extension parameters
* @param envProps environment properties
* @return instance of extension
*/
public abstract DecisionCache getInstance(CONF_T conf);
public abstract DecisionCache getInstance(CONF_T conf, EnvironmentProperties envProps);
}
/**
......
......@@ -21,18 +21,17 @@ import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Optional;
import net.sf.saxon.s9api.XdmNode;
import org.ow2.authzforce.core.pdp.api.expression.AttributeDesignatorExpression;
import org.ow2.authzforce.core.pdp.api.expression.AttributeSelectorExpression;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.AttributeValue;
import org.ow2.authzforce.core.pdp.api.value.Bag;
import org.ow2.authzforce.core.pdp.api.value.BagDatatype;
import org.ow2.authzforce.core.pdp.api.value.Datatype;
import org.ow2.authzforce.core.pdp.api.value.Value;
import org.ow2.authzforce.core.pdp.api.value.XPathValue;
import net.sf.saxon.s9api.XdmNode;
/**
* Manages context for the policy evaluation of a given authorization decision request. Typically, an instance of this is instantiated whenever the PDP gets a request and needs to perform an
* evaluation to a authorization decision. Such a context is used and possibly updated all along the evaluation of the request.
......@@ -60,7 +59,7 @@ public interface EvaluationContext
<AV extends AttributeValue> void namedAttributeValueProduced(AttributeFqn attributeFQN, AttributeBag<AV> value);
/**
* To be called when {@link EvaluationContext#getNamedAttributeValue(AttributeFqn, BagDatatype)} is called
* To be called when {@link EvaluationContext#getNamedAttributeValue(AttributeFqn, Datatype)} is called
*
* @param attributeFQN
* attribute GUID (global ID = Category,Issuer,AttributeId)
......@@ -100,19 +99,19 @@ public interface EvaluationContext
*
* @param attributeFQN
* attribute GUID (global ID = Category,Issuer,AttributeId)
* @param returnDatatype
* attribute value bag datatype
* @param datatype
* attribute value datatype
*
* @return attribute value(s), null iff attribute unknown (not set) in this context, empty if attribute known in this context but no value
* @throws IndeterminateEvaluationException
* if error occurred trying to determine the attribute value(s) in context. This is different from finding without error that the attribute is not in the context (and/or no value),
* e.g. if there is a result but type is different from {@code attributeDatatype}.
*/
<AV extends AttributeValue> AttributeBag<AV> getNamedAttributeValue(AttributeFqn attributeFQN, BagDatatype<AV> returnDatatype) throws IndeterminateEvaluationException;
<AV extends AttributeValue> AttributeBag<AV> getNamedAttributeValue(AttributeFqn attributeFQN, Datatype<AV> datatype) throws IndeterminateEvaluationException;
/**
* Get immutable iterator over the context attributes. DO NOT ever use this method to retrieve one or more specific attributes, in which case you must use
* {@link #getNamedAttributeValue(AttributeFqn, BagDatatype)} instead. This is only for iterating over all the attributes, e.g. for debugging/auditing.
* {@link #getNamedAttributeValue(AttributeFqn, Datatype)} instead. This is only for iterating over all the attributes, e.g. for debugging/auditing.
*
* @return context attributes iterator (implementations must guarantee that the iterator is immutable, i.e. does not allow changing the internal context)
*/
......@@ -121,7 +120,7 @@ public interface EvaluationContext
/**
* Put Attribute values in the context, only if the attribute is not already known to this context. Indeed, an attribute value cannot be overridden once it is set in the context to comply with
* 7.3.5 Attribute retrieval: "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated
* in the context before it is first tested, and is thereafter immutable during evaluation." Therefore, {@link #getNamedAttributeValue(AttributeFqn, BagDatatype)} should be called always before
* in the context before it is first tested, and is thereafter immutable during evaluation." Therefore, {@link #getNamedAttributeValue(AttributeFqn, Datatype)} should be called always before
* calling this, for the same {@code attributeFQN}
*
* @param attributeFQN
......
......@@ -62,7 +62,7 @@ public final class Expressions
final Value val = arg.evaluate(context);
if (LOGGER.isDebugEnabled())
{
LOGGER.debug("eval( arg = <{}>, <context>, expectedType = <{}> ) -> <{}>", arg, returnType, val);
LOGGER.debug("eval( arg = ({}), context, expectedType = ({}) ) -> ({})", arg, returnType, val);
}
if (val == null)
......@@ -99,7 +99,7 @@ public final class Expressions
/*
* Findsecbugs: prevent CRLF log injection
*/
LOGGER.debug("evalPrimitive( arg = <{}>, <context>) -> <{}>", arg, val);
LOGGER.debug("evalPrimitive( arg = ({}), context ) -> ({})", arg, val);
}
if (val == null)
......
......@@ -55,7 +55,7 @@ public abstract class BaseFirstOrderFunctionCall<RETURN extends Value> implement
private static final IllegalArgumentException EVAL_ARGS_NULL_INPUT_STACK_EXCEPTION = new IllegalArgumentException("Input stack to store evaluation results is NULL");
/**
* Evaluates primitive argument expressions in the given context, and stores all result values in a given array of a specific datatype.
* Evaluates primitive argument expressions in the given context, and stores all result values in a given linear collection of a specific datatype.
*
* @param args
* (mandatory) function arguments
......@@ -101,7 +101,7 @@ public abstract class BaseFirstOrderFunctionCall<RETURN extends Value> implement
}
/**
* Evaluates primitive argument expressions in the given context, and stores all result values in a given array.
* Evaluates primitive argument expressions in the given context, and stores all result values in a given linear collection.
*
* @param args
* (mandatory) function arguments
......
......@@ -36,26 +36,23 @@ public abstract class BaseFunction<RETURN_T extends Value> implements Function<R
private transient volatile int hashCode = 0; // Effective Java - Item 9
@Override
public final String getId()
{
public final String getId() {
return this.functionId;
}
protected BaseFunction(final String functionId)
{
this.functionId = functionId;
this.indeterminateArgMessagePrefix = "Function " + functionId + ": Indeterminate arg #";
this.indeterminateArgMessagePrefix = "Function '" + functionId + "': Indeterminate arg #";
}
@Override
public final String toString()
{
public final String toString() {
return this.functionId;
}
@Override
public final int hashCode()
{
public final int hashCode() {
if (hashCode == 0)
{
hashCode = this.functionId.hashCode();
......@@ -64,8 +61,7 @@ public abstract class BaseFunction<RETURN_T extends Value> implements Function<R
}
@Override
public final boolean equals(final Object obj)
{
public final boolean equals(final Object obj) {
if (this == obj)
{
return true;
......@@ -88,8 +84,7 @@ public abstract class BaseFunction<RETURN_T extends Value> implements Function<R
* function argument index (#x) that could not be determined
* @return "Indeterminate arg#x" exception
*/
public final String getIndeterminateArgMessage(final int argIndex)
{
public final String getIndeterminateArgMessage(final int argIndex) {
return indeterminateArgMessagePrefix + argIndex;
}
......@@ -100,8 +95,7 @@ public abstract class BaseFunction<RETURN_T extends Value> implements Function<R
* function argument index (#x) that could not be determined
* @return "Indeterminate arg#x" exception
*/
public final IndeterminateEvaluationException getIndeterminateArgException(final int argIndex)
{
public final IndeterminateEvaluationException getIndeterminateArgException(final int argIndex) {
return new IndeterminateEvaluationException(getIndeterminateArgMessage(argIndex), XacmlStatusCode.PROCESSING_ERROR.value());
}
......
......@@ -551,14 +551,14 @@ public final class FirstOrderBagFunctions
{
final BagDatatype<AV> paramBagType = paramType.getBagDatatype();
final Class<AV[]> paramArrayClass = paramType.getArrayClass();
return HashCollections.<Function<?>> newImmutableSet(new Function[] {
/**
*
* Single-bag function group, i.e. group of bag functions that takes only one bag as parameter, or no bag parameter but returns a bag. Defined in section A.3.10. As opposed to Set functions
* that takes multiple bags as parameters.
*
*/
new SingletonBagToPrimitive<>(paramType, paramBagType), new BagSize<>(paramBagType), new BagContains<>(paramType, paramBagType, paramArrayClass),
return HashCollections.<Function<?>>newImmutableSet(new Function[] {
/**
*
* Single-bag function group, i.e. group of bag functions that takes only one bag as parameter, or no bag parameter but returns a bag. Defined in section A.3.10. As opposed to Set
* functions that takes multiple bags as parameters.
*
*/
new SingletonBagToPrimitive<>(paramType, paramBagType), new BagSize<>(paramBagType), new BagContains<>(paramType, paramBagType, paramArrayClass),
new PrimitiveToBag<>(paramType, paramBagType),
/**
*
......
......@@ -21,13 +21,6 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attribute;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestDefaults;
import org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor;
import org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
......@@ -40,6 +33,13 @@ import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry;
import org.ow2.authzforce.xacml.identifiers.XacmlStatusCode;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attribute;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestDefaults;
/**
* Convenient base class for {@link DecisionRequestPreprocessor} implementations supporting core XACML-schema-defined XML input handled by JAXB framework
*
......@@ -109,18 +109,20 @@ public abstract class BaseXacmlJaxbRequestPreprocessor implements DecisionReques
final NamedXacmlAttributeParser<Attribute> namedXacmlAttParser = new NamedXacmlJaxbAttributeParser(attributeValueFactoryRegistry);
if (allowAttributeDuplicates)
{
final XacmlRequestAttributeParser<Attribute, MutableAttributeBag<?>> xacmlAttributeParser = strictAttributeIssuerMatch ? new NonIssuedLikeIssuedLaxXacmlAttributeParser<>(
namedXacmlAttParser) : new IssuedToNonIssuedCopyingLaxXacmlAttributeParser<>(namedXacmlAttParser);
this.xacmlAttrsParserFactory = requireContentForXPath ? new FullXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser,
SingleCategoryAttributes.MUTABLE_TO_CONSTANT_ATTRIBUTE_ITERATOR_CONVERTER, xmlProcessor) : new ContentSkippingXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser,
SingleCategoryAttributes.MUTABLE_TO_CONSTANT_ATTRIBUTE_ITERATOR_CONVERTER);
final XacmlRequestAttributeParser<Attribute, MutableAttributeBag<?>> xacmlAttributeParser = strictAttributeIssuerMatch
? new NonIssuedLikeIssuedLaxXacmlAttributeParser<>(namedXacmlAttParser)
: new IssuedToNonIssuedCopyingLaxXacmlAttributeParser<>(namedXacmlAttParser);
this.xacmlAttrsParserFactory = requireContentForXPath
? new FullXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.MUTABLE_TO_CONSTANT_ATTRIBUTE_ITERATOR_CONVERTER, xmlProcessor)
: new ContentSkippingXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.MUTABLE_TO_CONSTANT_ATTRIBUTE_ITERATOR_CONVERTER);
}
else // allowAttributeDuplicates == false
if (strictAttributeIssuerMatch)
{
final XacmlRequestAttributeParser<Attribute, AttributeBag<?>> xacmlAttributeParser = new NonIssuedLikeIssuedStrictXacmlAttributeParser<>(namedXacmlAttParser);
this.xacmlAttrsParserFactory = requireContentForXPath ? new FullXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.IDENTITY_ATTRIBUTE_ITERATOR_CONVERTER,
xmlProcessor) : new ContentSkippingXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.IDENTITY_ATTRIBUTE_ITERATOR_CONVERTER);
this.xacmlAttrsParserFactory = requireContentForXPath
? new FullXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.IDENTITY_ATTRIBUTE_ITERATOR_CONVERTER, xmlProcessor)
: new ContentSkippingXacmlJaxbAttributesParserFactory<>(xacmlAttributeParser, SingleCategoryAttributes.IDENTITY_ATTRIBUTE_ITERATOR_CONVERTER);
}
else
{
......
......@@ -30,18 +30,6 @@ import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
import javax.xml.transform.dom.DOMResult;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Advice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AssociatedAdvice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligation;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligations;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicyIdentifierList;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Result;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Status;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.StatusDetail;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor;
import org.ow2.authzforce.core.pdp.api.ImmutablePepActions;
......@@ -55,6 +43,18 @@ import org.w3c.dom.Element;
import com.google.common.collect.ImmutableList;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Advice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AssociatedAdvice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligation;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Obligations;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicyIdentifierList;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Result;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Status;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.StatusDetail;
/**
* Convenient base class for {@link DecisionResultPostprocessor} implementations supporting core XACML-schema-defined XML output handled by JAXB framework
*
......@@ -64,7 +64,15 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
private static final IllegalArgumentException ILLEGAL_RESULTS_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined resultsByRequest arg");
private static final IllegalArgumentException ILLEGAL_ERROR_ARG_EXCEPTION = new IllegalArgumentException("Undefined input error arg");
protected static Result convert(final IndividualXacmlJaxbRequest request, final DecisionResult result)
/**
* Convert AuthzForce-specific {@link DecisionResult} to XACML {@link Result}
*
* @param request
* request corresponding to result; iff null, some content from it, esp. the list of {@link oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes}, is included in {@code result}
* @param result
* @return XACML Result
*/
public static final Result convert(final IndividualXacmlJaxbRequest request, final DecisionResult result)
{
final ImmutablePepActions pepActions = result.getPepActions();
final List<Obligation> obligationList;
......@@ -92,8 +100,9 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
for (final PrimaryPolicyMetadata applicablePolicy : applicablePolicies)
{
final IdReferenceType jaxbIdRef = new IdReferenceType(applicablePolicy.getId(), applicablePolicy.getVersion().toString(), null, null);
final JAXBElement<IdReferenceType> jaxbPolicyIdRef = applicablePolicy.getType() == TopLevelPolicyElementType.POLICY ? Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY
.createPolicyIdReference(jaxbIdRef) : Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY.createPolicySetIdReference(jaxbIdRef);
final JAXBElement<IdReferenceType> jaxbPolicyIdRef = applicablePolicy.getType() == TopLevelPolicyElementType.POLICY
? Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY.createPolicyIdReference(jaxbIdRef)
: Xacml3JaxbHelper.XACML_3_0_OBJECT_FACTORY.createPolicySetIdReference(jaxbIdRef);
jaxbPolicyIdRefs.add(jaxbPolicyIdRef);
}
......@@ -101,7 +110,7 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
}
return new Result(result.getDecision(), result.getStatus(), obligationList.isEmpty() ? null : new Obligations(obligationList), adviceList.isEmpty() ? null : new AssociatedAdvice(adviceList),
request.getAttributesToBeReturned(), jaxbPolicyIdentifiers);
request == null ? null : request.getAttributesToBeReturned(), jaxbPolicyIdentifiers);
}
private static void addStatusMessageForEachCause(final Throwable cause, final int currentCauseDepth, final int maxIncludedCauseDepth, final List<Element> statusDetailElements,
......@@ -238,10 +247,8 @@ public class BaseXacmlJaxbResultPostprocessor implements DecisionResultPostproce
}
/**
*
* Factory for this type of result postprocessor that allows duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request (complying with XACML 3.0 core
* spec, §7.3.3).
*
* Convenient base class for {@link org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor.Factory} implementations supporting core XACML-schema-defined XML output handled by JAXB framework
*
*/
public static abstract class Factory implements DecisionResultPostprocessor.Factory<IndividualXacmlJaxbRequest, Response>
{
......
......@@ -60,7 +60,7 @@ public abstract class BaseStaticRefPolicyProvider implements CloseableStaticRefP
* @throws IndeterminateEvaluationException
* error resolving policy
*/
protected abstract StaticTopLevelPolicyElementEvaluator getPolicy(String policyIdRef, Optional<VersionPatterns> constraints) throws IndeterminateEvaluationException;
protected abstract StaticTopLevelPolicyElementEvaluator getPolicy(String policyIdRef, Optional<PolicyVersionPatterns> constraints) throws IndeterminateEvaluationException;
/**
* Finds a policySet based on an reference. This may involve using the reference as indexing data to lookup a policy.
......@@ -98,11 +98,11 @@ public abstract class BaseStaticRefPolicyProvider implements CloseableStaticRefP
* @throws IndeterminateEvaluationException
* if error determining a matching policy of type {@code policyType}
*/
protected abstract StaticTopLevelPolicyElementEvaluator getPolicySet(String policyIdRef, Optional<VersionPatterns> constraints, Deque<String> policySetRefChainWithPolicyIdRef)
protected abstract StaticTopLevelPolicyElementEvaluator getPolicySet(String policyIdRef, Optional<PolicyVersionPatterns> constraints, Deque<String> policySetRefChainWithPolicyIdRef)
throws IndeterminateEvaluationException;
@Override
public final StaticTopLevelPolicyElementEvaluator get(final TopLevelPolicyElementType refPolicyType, final String policyIdRef, final Optional<VersionPatterns> constraints,
public final StaticTopLevelPolicyElementEvaluator get(final TopLevelPolicyElementType refPolicyType, final String policyIdRef, final Optional<PolicyVersionPatterns> constraints,
final Deque<String> policySetRefChain) throws IndeterminateEvaluationException
{
if (refPolicyType == TopLevelPolicyElementType.POLICY)
......@@ -114,7 +114,7 @@ public abstract class BaseStaticRefPolicyProvider implements CloseableStaticRefP
}
@Override
public final TopLevelPolicyElementEvaluator get(final TopLevelPolicyElementType policyType, final String policyId, final Optional<VersionPatterns> policyVersionConstraints,
public final TopLevelPolicyElementEvaluator get(final TopLevelPolicyElementType policyType, final String policyId, final Optional<PolicyVersionPatterns> policyVersionConstraints,
final Deque<String> policySetRefChain, final EvaluationContext evaluationCtx) throws IllegalArgumentException, IndeterminateEvaluationException
{
return get(policyType, policyId, policyVersionConstraints, policySetRefChain);
......
......@@ -20,11 +20,17 @@ package org.ow2.authzforce.core.pdp.api.policy;
import java.util.Optional;
/**
* Version patterns used in policy references to match specific policy version(s). This class also provides a simple set of comparison methods for matching against the patterns.
* Version patterns used in policy references to match specific policy
* version(s). This class also provides a simple set of comparison methods for
* matching against the patterns.
*
*/
public class VersionPatterns
public final class PolicyVersionPatterns
{
/**
* Wildcard pattern, i.e. version pattern that matches any version ('*')
*/
public static final PolicyVersionPattern WILDCARD = new PolicyVersionPattern("*");
// the three constraints
private final Optional<PolicyVersionPattern> versionPattern;
......@@ -32,38 +38,49 @@ public class VersionPatterns
private final Optional<PolicyVersionPattern> latestVersionPattern;
/**
* Creates a <code>VersionConstraints</code> with the three optional constraint strings. Each of the three strings must conform to the VersionMatchType type defined in the XACML schema. Any of the
* strings may be null to specify that the given constraint is not used.
* Creates a <code>VersionConstraints</code> with the three optional
* constraint strings. Each of the three strings must conform to the
* VersionMatchType type defined in the XACML schema. Any of the strings may
* be null to specify that the given constraint is not used.
*
* @param versionMatch
* matching expression for the version; or null if none
* @param earliestMatch
* matching expression for the earliest acceptable version; or null if none
* matching expression for the earliest acceptable version; or
* null if none
* @param latestMatch
* matching expression for the earliest acceptable version; or null if none
* matching expression for the earliest acceptable version; or
* null if none
* @throws IllegalArgumentException
* if one of the match expressions is invalid
*/
public VersionPatterns(final String versionMatch, final String earliestMatch, final String latestMatch) throws IllegalArgumentException
public PolicyVersionPatterns(final String versionMatch, final String earliestMatch, final String latestMatch)
throws IllegalArgumentException
{
this.versionPattern = versionMatch == null ? Optional.empty() : Optional.of(new PolicyVersionPattern(versionMatch));
this.earliestVersionPattern = earliestMatch == null ? Optional.empty() : Optional.of(new PolicyVersionPattern(earliestMatch));
this.latestVersionPattern = latestMatch == null ? Optional.empty() : Optional.of(new PolicyVersionPattern(latestMatch));
this.versionPattern = versionMatch == null ? Optional.empty()
: Optional.of(new PolicyVersionPattern(versionMatch));
this.earliestVersionPattern = earliestMatch == null ? Optional.empty()
: Optional.of(new PolicyVersionPattern(earliestMatch));
this.latestVersionPattern = latestMatch == null ? Optional.empty()
: Optional.of(new PolicyVersionPattern(latestMatch));
if (this.versionPattern.isPresent())
{
final PolicyVersion versionLiteral = this.versionPattern.get().toLiteral();
if (versionLiteral != null)
{
if (this.earliestVersionPattern.isPresent() && !this.earliestVersionPattern.get().matches(versionLiteral))
if (this.earliestVersionPattern.isPresent()
&& !this.earliestVersionPattern.get().matches(versionLiteral))
{
throw new IllegalArgumentException("Version (literal) '" + versionPattern.get() + "' and EarliestVersion '" + earliestVersionPattern.get()
+ "' cannot be both matched by the same version.");
throw new IllegalArgumentException(
"Version (literal) '" + versionPattern.get() + "' and EarliestVersion '"
+ earliestVersionPattern.get() + "' cannot be both matched by the same version.");
}
if (this.latestVersionPattern.isPresent() && !this.latestVersionPattern.get().matches(versionLiteral))
{
throw new IllegalArgumentException("Version (literal) '" + versionPattern.get() + "' and LatestVersion '" + latestVersionPattern.get()
+ "' cannot be both matched by the same version.");
throw new IllegalArgumentException(
"Version (literal) '" + versionPattern.get() + "' and LatestVersion '"
+ latestVersionPattern.get() + "' cannot be both matched by the same version.");
}
}
}
......@@ -72,9 +89,11 @@ public class VersionPatterns
{
final PolicyVersion earliestVersionLiteral = this.earliestVersionPattern.get().toLiteral();
final PolicyVersion latestVersionLiteral = this.latestVersionPattern.get().toLiteral();
if (earliestVersionLiteral != null && latestVersionLiteral != null && earliestVersionLiteral.compareTo(latestVersionLiteral) > 0)
if (earliestVersionLiteral != null && latestVersionLiteral != null
&& earliestVersionLiteral.compareTo(latestVersionLiteral) > 0)
{
throw new IllegalArgumentException("EarliestVersion (literal) '" + earliestVersionPattern + "' > LatestVersion (literal) '" + latestVersionPattern + "'!");
throw new IllegalArgumentException("EarliestVersion (literal) '" + earliestVersionPattern
+ "' > LatestVersion (literal) '" + latestVersionPattern + "'!");
}
}
}
......@@ -85,10 +104,9 @@ public class VersionPatterns
* @see java.lang.Object#toString()
*/
@Override
public String toString()
{
return String.format("Version=%s,EarliestVersion=%s,LatestVersion=%s", (versionPattern == null) ? "*" : versionPattern, (earliestVersionPattern == null) ? "*" : earliestVersionPattern,
(latestVersionPattern == null) ? "*" : latestVersionPattern);
public String toString() {
return String.format("Version=%s,EarliestVersion=%s,LatestVersion=%s", versionPattern.orElse(WILDCARD),
earliestVersionPattern.orElse(WILDCARD), latestVersionPattern.orElse(WILDCARD));
}
/**
......@@ -98,8 +116,7 @@ public class VersionPatterns
* input version to be checked
* @return true iff LatestVersion matched
*/
public boolean matchLatestVersion(final PolicyVersion version)
{
public boolean matchLatestVersion(final PolicyVersion version) {
return !latestVersionPattern.isPresent() || latestVersionPattern.get().isLaterOrMatches(version);
}
......@@ -110,8 +127,7 @@ public class VersionPatterns
* input version to be checked
* @return true iff EarliestVersion matched
*/
public boolean matchEarliestVersion(final PolicyVersion version)
{
public boolean matchEarliestVersion(final PolicyVersion version) {
return !earliestVersionPattern.isPresent() || earliestVersionPattern.get().isEarlierOrMatches(version);
}
......@@ -122,8 +138,7 @@ public class VersionPatterns
* input version to be checked
* @return true iff Version matched
*/
public boolean matchVersion(final PolicyVersion version)
{
public boolean matchVersion(final PolicyVersion version) {
return !versionPattern.isPresent() || versionPattern.get().matches(version);
}
......@@ -132,28 +147,27 @@ public class VersionPatterns
*
* @return Version to be matched; null if none
*/
public Optional<PolicyVersionPattern> getVersionPattern()
{
public Optional<PolicyVersionPattern> getVersionPattern() {
return this.versionPattern;
}
/**
* Get EarliestVersion pattern: matching expression for the earliest acceptable version
* Get EarliestVersion pattern: matching expression for the earliest
* acceptable version
*
* @return EarliestVersion pattern to be matched; null if none
*/
public Optional<PolicyVersionPattern> getEarliestVersionPattern()
{
public Optional<PolicyVersionPattern> getEarliestVersionPattern() {
return this.earliestVersionPattern;
}
/**
* Get LatestVersion pattern: matching expression for the latest acceptable version
* Get LatestVersion pattern: matching expression for the latest acceptable
* version
*
* @return LatestVersion pattern to be matched; null if none
*/
public Optional<PolicyVersionPattern> getLatestVersionPattern()
{
public Optional<PolicyVersionPattern> getLatestVersionPattern() {
return this.latestVersionPattern;
}
......
......@@ -175,7 +175,7 @@ public interface RefPolicyProvider
* @throws IndeterminateEvaluationException
* if error determining a matching policy of type {@code policyType}
*/
TopLevelPolicyElementEvaluator get(TopLevelPolicyElementType policyType, String policyId, Optional<VersionPatterns> policyVersionConstraints, Deque<String> policySetRefChain,
TopLevelPolicyElementEvaluator get(TopLevelPolicyElementType policyType, String policyId, Optional<PolicyVersionPatterns> policyVersionConstraints, Deque<String> policySetRefChain,
EvaluationContext evaluationCtx) throws IllegalArgumentException, IndeterminateEvaluationException;
}
\ No newline at end of file
......@@ -69,11 +69,11 @@ public interface StaticRefPolicyProvider extends RefPolicyProvider
* @throws IndeterminateEvaluationException
* if error determining a matching policy of type {@code policyType}
*/
StaticTopLevelPolicyElementEvaluator get(TopLevelPolicyElementType refPolicyType, String policyIdRef, Optional<VersionPatterns> constraints, Deque<String> policySetRefChain)
StaticTopLevelPolicyElementEvaluator get(TopLevelPolicyElementType refPolicyType, String policyIdRef, Optional<PolicyVersionPatterns> constraints, Deque<String> policySetRefChain)
throws IndeterminateEvaluationException;
@Override
default TopLevelPolicyElementEvaluator get(final TopLevelPolicyElementType policyType, final String policyId, final Optional<VersionPatterns> policyVersionConstraints,
default TopLevelPolicyElementEvaluator get(final TopLevelPolicyElementType policyType, final String policyId, final Optional<PolicyVersionPatterns> policyVersionConstraints,
final Deque<String> policySetRefChain, final EvaluationContext evaluationCtx) throws IllegalArgumentException, IndeterminateEvaluationException
{
return get(policyType, policyId, policyVersionConstraints, policySetRefChain);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment