Commit 0f876367 authored by cdanger's avatar cdanger

Merge branch 'release/16.0.0'

parents 196030b9 449b9ab0
......@@ -6,6 +6,20 @@ All notable changes to this project are documented in this file following the [K
- Issues reported on [OW2's GitLab](https://gitlab.ow2.org/authzforce/core/issues) are referenced in the form of `[GL-N]`, where N is the issue number.
## 16.0.0
### Changed
- Upgraded parent project: 7.6.1
- Upgraded dependency `slf4j-api`: 1.7.30
- Upgraded dependency `authzforce-ce-core-pdp-api`: 17.0.0
- PolicyProvider extensions must now support new parameter `otherHelpingPolicyProvider` in API method `CloseablePolicyProvider.Factory#getInstance(...)` which allows any new Policy Provider to call other(s) previously instantiated ones for help - during instantiation or later - in order to resolve policy references it cannot resolve on its own.
- Support for combining multiple Policy Providers corresponding to multiple `policyProvider` elements in PDP configuration (change to XML schema)
- Support for inline PolicySets in a `StaticPolicyProvider` configuration, may be combined with already existing `policyLocation` elements
- Core StaticPolicyProvider enhanced to support the two previously mentioned changes, with the limitation that it can be combined with other previously declared policy providers only if they are static (implement `StaticPolicyProvider` interface).
### Fixed
- #35 : CVE-2018-8088 affecting slf4j
## 15.2.0
### Changed
- Upgraded parent project: 7.6.0
......
......@@ -8,6 +8,20 @@ Follow these Java coding guidelines:
### Testing
For every new major functionality, there must be unit tests added to some unit test class that is part of the automated test suite of [pdp-engine's MainTest.java](pdp-engine/src/test/java/org/ow2/authzforce/core/pdp/impl/test/MainTest.java). If the functionality has any impact on XACML - any Request/Response/Policy(Set) element - processing and/or change XACML standard conformance in anyway, make sure you add relevant integration and/or conformance tests to the test suite run by [pdp-testutils's MainTest.java](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/MainTest.java).
You may run the tests as follows from your local copy of the repository:
<pre><code>
$ mvn test
</code></pre>
### Building the project
You may build the project and generate the JAR as follows from your local copy of the repository:
<pre><code>
$ mvn package
</code></pre>
Note that you must use Java 8 to run Maven when building the project.
### Dependency management
1. No SNAPSHOT dependencies on "develop" and obviously "master" branches
......
# Security Policy
## Supported Versions
Versions currently being supported with security updates.
| Version | Supported |
| ------- | ------------------ |
| 15.2.0 | :white_check_mark: |
| 15.1.0 | :x: |
## Reporting a Vulnerability
If you want to report a vulnerability, you must do so on the [OW2 Issue Tracker](https://gitlab.ow2.org/authzforce/core/issues) and **make sure the checkbox** *This issue is confidential and should only be visible to team members with at least Reporter access* **is checked when creating the issue**. Then, if the AuthzForce team can confirm it, they will uncheck it to make the issue public.
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<!--See issue #35 on Github -->
<cve>CVE-2018-8088</cve>
</suppress>
</suppressions>
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>15.2.0</version>
<version>16.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-cli</artifactId>
......@@ -30,12 +30,12 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
<version>15.2.0</version>
<version>16.0.0</version>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
<version>15.2.0</version>
<version>16.0.0</version>
</dependency>
<dependency>
<groupId>org.testng</groupId>
......@@ -46,7 +46,7 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
<version>15.2.0</version>
<version>16.0.0</version>
<scope>test</scope>
</dependency>
</dependencies>
......
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<!--See issue #35 on Github -->
<cve>CVE-2018-8088</cve>
</suppress>
</suppressions>
\ No newline at end of file
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>15.2.0</version>
<version>16.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
......
......@@ -596,7 +596,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
* @param rootPolicyId
* root Policy(Set) ID
* @param rootPolicyElementType
* type of root policy element (XACML Policy or XACML PolicySet)
* type of root policy element (XACML Policy or XACML PolicySet). If undefined, try with XACML Policy, and else (if it fails) with XACML PolicySet.
* @param rootPolicyVersionPatterns
* version pattern to be matched by root policy version
* @param decisionCache
......@@ -627,8 +627,8 @@ public final class BasePdpEngine implements CloseablePdpEngine
}
catch (final IndeterminateEvaluationException e)
{
throw new IllegalArgumentException(
rootPolicyElementType + " '" + rootPolicyId + "' matching version (pattern): " + (rootPolicyVersionPatterns.isPresent() ? rootPolicyVersionPatterns.get() : "latest"), e);
throw new IllegalArgumentException("No valid " + (rootPolicyElementType.isPresent() ? rootPolicyElementType.get() : "Policy(Set)") + " '" + rootPolicyId + "' matching version (pattern): "
+ (rootPolicyVersionPatterns.isPresent() ? rootPolicyVersionPatterns.get() : "latest"), e);
}
if (staticRootPolicyEvaluator == null)
{
......
......@@ -20,9 +20,7 @@ package org.ow2.authzforce.core.pdp.impl.io;
import java.io.IOException;
import java.util.Map;
import java.util.Map.Entry;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import java.util.function.Supplier;
import org.ow2.authzforce.core.pdp.api.CloseablePdpEngine;
import org.ow2.authzforce.core.pdp.api.DecisionRequest;
......@@ -36,7 +34,8 @@ import org.ow2.authzforce.core.pdp.api.io.PdpEngineInoutAdapter;
import org.ow2.authzforce.core.pdp.impl.BasePdpEngine;
import org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration;
import com.google.common.base.Supplier;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
/**
* PDP engine adapter utilities
......@@ -54,12 +53,12 @@ public final class PdpEngineAdapters
}
private static <ADAPTER_INPUT, ADAPTEE_INPUT_DECISION_REQUEST extends DecisionRequest, ADAPTER_OUTPUT> PdpEngineInoutAdapter<ADAPTER_INPUT, ADAPTER_OUTPUT> newInoutAdapter(
final CloseablePdpEngine adaptee, final DecisionRequestPreprocessor<ADAPTER_INPUT, ?> rawReqPreproc, final DecisionResultPostprocessor<?, ADAPTER_OUTPUT> rawResultPostproc)
throws IllegalArgumentException
final CloseablePdpEngine adaptee, final DecisionRequestPreprocessor<ADAPTER_INPUT, ?> rawReqPreproc, final DecisionResultPostprocessor<?, ADAPTER_OUTPUT> rawResultPostproc)
throws IllegalArgumentException
{
assert adaptee != null && rawReqPreproc != null && rawResultPostproc != null;
return new BasePdpEngineAdapter<>(adaptee, (DecisionRequestPreprocessor<ADAPTER_INPUT, ADAPTEE_INPUT_DECISION_REQUEST>) rawReqPreproc,
(DecisionResultPostprocessor<ADAPTEE_INPUT_DECISION_REQUEST, ADAPTER_OUTPUT>) rawResultPostproc);
(DecisionResultPostprocessor<ADAPTEE_INPUT_DECISION_REQUEST, ADAPTER_OUTPUT>) rawResultPostproc);
}
/**
......@@ -87,8 +86,8 @@ public final class PdpEngineAdapters
* {@code rawReqPreproc.getInputRequestType() != adapterInputClass || rawResultPostproc.getResponseType() != adapterOutputClass || rawReqPreproc.getOutputRequestType() != rawResultPostproc.getRequestType()}
*/
public static <ADAPTER_INPUT, ADAPTER_OUTPUT> PdpEngineInoutAdapter<ADAPTER_INPUT, ADAPTER_OUTPUT> newInoutAdapter(final Class<ADAPTER_INPUT> adapterInputClass,
final Class<ADAPTER_OUTPUT> adapterOutputClass, final CloseablePdpEngine adaptee, final DecisionRequestPreprocessor<?, ?> rawReqPreproc,
final DecisionResultPostprocessor<?, ?> rawResultPostproc) throws IllegalArgumentException
final Class<ADAPTER_OUTPUT> adapterOutputClass, final CloseablePdpEngine adaptee, final DecisionRequestPreprocessor<?, ?> rawReqPreproc,
final DecisionResultPostprocessor<?, ?> rawResultPostproc) throws IllegalArgumentException
{
/*
* Decision result processor
......@@ -100,8 +99,8 @@ public final class PdpEngineAdapters
if (rawResultPostproc.getResponseType() != adapterOutputClass)
{
throw new IllegalArgumentException("Invalid response type for " + DecisionResultPostprocessor.class.getCanonicalName() + " extension: " + rawResultPostproc.getResponseType()
+ ". Expected: " + adapterOutputClass);
throw new IllegalArgumentException(
"Invalid response type for " + DecisionResultPostprocessor.class.getCanonicalName() + " extension: " + rawResultPostproc.getResponseType() + ". Expected: " + adapterOutputClass);
}
/*
......@@ -114,14 +113,14 @@ public final class PdpEngineAdapters
if (rawReqPreproc.getInputRequestType() != adapterInputClass)
{
throw new IllegalArgumentException("Invalid request type for " + DecisionRequestPreprocessor.class.getCanonicalName() + " extension: " + rawReqPreproc.getInputRequestType()
+ ". Expected: " + adapterInputClass);
throw new IllegalArgumentException(
"Invalid request type for " + DecisionRequestPreprocessor.class.getCanonicalName() + " extension: " + rawReqPreproc.getInputRequestType() + ". Expected: " + adapterInputClass);
}
if (rawReqPreproc.getOutputRequestType() != rawResultPostproc.getRequestType())
{
throw new IllegalArgumentException("Decision request preprocessor is not compatible with decision result postprocessor: output request type of preprocessor ("
+ rawReqPreproc.getOutputRequestType() + ") != input request type of postprocessor (" + rawResultPostproc.getRequestType() + ")");
+ rawReqPreproc.getOutputRequestType() + ") != input request type of postprocessor (" + rawResultPostproc.getRequestType() + ")");
}
return newInoutAdapter(adaptee, (DecisionRequestPreprocessor<ADAPTER_INPUT, ?>) rawReqPreproc, (DecisionResultPostprocessor<?, ADAPTER_OUTPUT>) rawResultPostproc);
......@@ -154,9 +153,9 @@ public final class PdpEngineAdapters
* {@code defaultResultPostprocSupplier}
*/
public static <ADAPTER_INPUT, ADAPTER_OUTPUT> PdpEngineInoutAdapter<ADAPTER_INPUT, ADAPTER_OUTPUT> newInoutAdapter(final Class<ADAPTER_INPUT> adapterInputClass,
final Class<ADAPTER_OUTPUT> adapterOutputClass, final CloseablePdpEngine adaptee,
final Map<Class<?>, Entry<DecisionRequestPreprocessor<?, ?>, DecisionResultPostprocessor<?, ?>>> ioProcChainsByInputType,
final DecisionRequestPreprocessorSupplier defaultReqPreprocSupplier, final Supplier<DecisionResultPostprocessor<?, ?>> defaultResultPostprocSupplier) throws IllegalArgumentException
final Class<ADAPTER_OUTPUT> adapterOutputClass, final CloseablePdpEngine adaptee,
final Map<Class<?>, Entry<DecisionRequestPreprocessor<?, ?>, DecisionResultPostprocessor<?, ?>>> ioProcChainsByInputType,
final DecisionRequestPreprocessorSupplier defaultReqPreprocSupplier, final Supplier<DecisionResultPostprocessor<?, ?>> defaultResultPostprocSupplier) throws IllegalArgumentException
{
final Entry<DecisionRequestPreprocessor<?, ?>, DecisionResultPostprocessor<?, ?>> ioProcChain = ioProcChainsByInputType.get(adapterInputClass);
final DecisionResultPostprocessor<?, ?> rawResultPostproc;
......@@ -205,9 +204,9 @@ public final class PdpEngineAdapters
* error closing {@code configuration.getRootPolicyProvider()} when static resolution is to be used
*/
public static <ADAPTER_INPUT, ADAPTEE_INPUT_DECISION_REQUEST extends DecisionRequest, ADAPTER_OUTPUT> PdpEngineInoutAdapter<ADAPTER_INPUT, ADAPTER_OUTPUT> newInoutAdapter(
final Class<ADAPTER_INPUT> adapterInputClass, final Class<ADAPTER_OUTPUT> adapterOutputClass, final PdpEngineConfiguration configuration,
final DecisionRequestPreprocessor<ADAPTER_INPUT, ADAPTEE_INPUT_DECISION_REQUEST> defaultReqPreproc,
final DecisionResultPostprocessor<ADAPTEE_INPUT_DECISION_REQUEST, ADAPTER_OUTPUT> defaultResultPostproc) throws IllegalArgumentException, IOException
final Class<ADAPTER_INPUT> adapterInputClass, final Class<ADAPTER_OUTPUT> adapterOutputClass, final PdpEngineConfiguration configuration,
final DecisionRequestPreprocessor<ADAPTER_INPUT, ADAPTEE_INPUT_DECISION_REQUEST> defaultReqPreproc,
final DecisionResultPostprocessor<ADAPTEE_INPUT_DECISION_REQUEST, ADAPTER_OUTPUT> defaultResultPostproc) throws IllegalArgumentException, IOException
{
// use intermediate Java-friendly PdpEngineConfiguration (higher-level than JAXB) that has #getAttributeValueFactory()
try (final BasePdpEngine adaptedPdpEngine = new BasePdpEngine(configuration))
......@@ -228,7 +227,7 @@ public final class PdpEngineAdapters
}
return newInoutAdapter(adapterInputClass, adapterOutputClass, adaptedPdpEngine, rawReqPreproc == null ? defaultReqPreproc : rawReqPreproc,
rawResultPostProc == null ? defaultResultPostproc : rawResultPostProc);
rawResultPostProc == null ? defaultResultPostproc : rawResultPostProc);
}
}
......@@ -249,8 +248,8 @@ public final class PdpEngineAdapters
{
final DecisionResultPostprocessor<IndividualXacmlJaxbRequest, Response> defaultResultPostproc = new BaseXacmlJaxbResultPostprocessor(configuration.getClientRequestErrorVerbosityLevel());
final DecisionRequestPreprocessor<Request, IndividualXacmlJaxbRequest> defaultReqPreproc = SingleDecisionXacmlJaxbRequestPreprocessor.LaxVariantFactory.INSTANCE.getInstance(
configuration.getAttributeValueFactoryRegistry(), configuration.isStrictAttributeIssuerMatchEnabled(), configuration.isXpathEnabled(), XmlUtils.SAXON_PROCESSOR,
defaultResultPostproc.getFeatures());
configuration.getAttributeValueFactoryRegistry(), configuration.isStrictAttributeIssuerMatchEnabled(), configuration.isXpathEnabled(), XmlUtils.SAXON_PROCESSOR,
defaultResultPostproc.getFeatures());
return newInoutAdapter(Request.class, Response.class, configuration, defaultReqPreproc, defaultResultPostproc);
}
......
......@@ -45,6 +45,20 @@ import org.slf4j.LoggerFactory;
*/
public final class RootPolicyEvaluators
{
/**
*
* @param <PE>
* @param rootPolicyProvider
* @param rootPolicyElementType
* type of policy element (XACML Policy or XACML PolicySet); if undefined, try with XACML Policy first, and if fails, try XACML PolicySet
* @param rootPolicyId
* @param optRootPolicyVersionPatterns
* @param context
* @param logger
* @return
* @throws IllegalArgumentException
* @throws IndeterminateEvaluationException
*/
private static <PE extends TopLevelPolicyElementEvaluator> PE getRootPolicyEvaluator(final CloseablePolicyProvider<PE> rootPolicyProvider,
final Optional<TopLevelPolicyElementType> rootPolicyElementType, final String rootPolicyId, final Optional<PolicyVersionPatterns> optRootPolicyVersionPatterns,
final EvaluationContext context, final Logger logger) throws IllegalArgumentException, IndeterminateEvaluationException
......@@ -97,7 +111,7 @@ public final class RootPolicyEvaluators
* @param policyProvider
* Root Policy Provider - mandatory
* @param rootPolicyElementType
* type of root policy element (XACML Policy or XACML PolicySet)
* type of root policy element (XACML Policy or XACML PolicySet). If undefined, try with XACML Policy, and else (if it fails) with XACML PolicySet.
* @param rootPolicyId
* root Policy(Set) ID
* @param optRootPolicyVersionPatterns
......
This diff is collapsed.
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>15.2.0</version>
<version>16.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
......@@ -41,7 +41,7 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
<version>15.2.0</version>
<version>16.0.0</version>
<scope>test</scope>
</dependency>
</dependencies>
......
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>15.2.0</version>
<version>16.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
......@@ -23,7 +23,7 @@
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core-pdp-engine</artifactId>
<version>15.2.0</version>
<version>16.0.0</version>
</dependency>
<dependency>
<groupId>org.mongodb</groupId>
......@@ -32,6 +32,12 @@
<!-- Version must match the one defined in Jongo's pom.xml -->
<version>3.5.0</version>
</dependency>
<dependency>
<!-- Override jongo dependency 'jackson-databind' to fix CVE -->
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10.5</version>
</dependency>
<dependency>
<groupId>org.jongo</groupId>
<artifactId>jongo</artifactId>
......
......@@ -331,11 +331,11 @@ public class TestUtils
final StaticPolicyProvider jaxbPolicyProvider = new StaticPolicyProvider();
jaxbPolicyProvider.setId("policyProvider");
jaxbPolicyProvider.getPolicyLocations().addAll(policyLocations);
jaxbPDP.setPolicyProvider(jaxbPolicyProvider);
jaxbPolicyProvider.getPolicySetsAndPolicyLocations().addAll(policyLocations);
jaxbPDP.getPolicyProviders().add(jaxbPolicyProvider);
// set max PolicySet reference depth to max possible depth automatically
jaxbPDP.setMaxPolicyRefDepth(BigInteger.valueOf(jaxbPolicyProvider.getPolicyLocations().size()));
jaxbPDP.setMaxPolicyRefDepth(BigInteger.valueOf(jaxbPolicyProvider.getPolicySetsAndPolicyLocations().size()));
jaxbPDP.setRootPolicyRef(rootPolicyRef);
// test attribute provider
......
......@@ -38,6 +38,7 @@ import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgRegistry;
import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.policy.BaseStaticPolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.CloseablePolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.PolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersion;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPattern;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPatterns;
......@@ -124,8 +125,9 @@ public final class MongoDbPolicyProvider extends BaseStaticPolicyProvider
}
@Override
public CloseablePolicyProvider getInstance(final MongoDBBasedPolicyProviderDescriptor conf, final XmlnsFilteringParserFactory xmlParserFactory, final int maxPolicySetRefDepth,
final ExpressionFactory expressionFactory, final CombiningAlgRegistry combiningAlgRegistry, final EnvironmentProperties environmentProperties) throws IllegalArgumentException
public CloseablePolicyProvider<?> getInstance(final MongoDBBasedPolicyProviderDescriptor conf, final XmlnsFilteringParserFactory xmlParserFactory, final int maxPolicySetRefDepth,
final ExpressionFactory expressionFactory, final CombiningAlgRegistry combiningAlgRegistry, final EnvironmentProperties environmentProperties,
final Optional<PolicyProvider<?>> otherHelpingPolicyProvider) throws IllegalArgumentException
{
if (conf == null)
{
......@@ -148,8 +150,7 @@ public final class MongoDbPolicyProvider extends BaseStaticPolicyProvider
}
final ServerAddress serverAddress = new ServerAddress(conf.getServerHost(), conf.getServerPort());
return new MongoDbPolicyProvider(conf.getId(), serverAddress, conf.getDbName(), conf.getCollectionName(), xmlParserFactory, expressionFactory, combiningAlgRegistry,
maxPolicySetRefDepth);
return new MongoDbPolicyProvider(conf.getId(), serverAddress, conf.getDbName(), conf.getCollectionName(), xmlParserFactory, expressionFactory, combiningAlgRegistry, maxPolicySetRefDepth);
}
}
......
......@@ -36,7 +36,7 @@ import org.slf4j.LoggerFactory;
*/
@RunWith(Suite.class)
@SuiteClasses(value = { ConformanceV3FromV2MandatoryTest.class, ConformanceV3FromV2OptionalTest.class, ConformanceV3OthersTest.class, PdpGetStaticApplicablePoliciesTest.class, CustomPdpTest.class,
MongoDBRefPolicyProviderTest.class, EmbeddedPdpBasedAuthzInterceptorTest.class, NonRegressionTest.class })
MongoDbPolicyProviderTest.class, EmbeddedPdpBasedAuthzInterceptorTest.class, NonRegressionTest.class })
public class MainTest
{
/**
......
......@@ -27,6 +27,7 @@ import java.io.StringReader;
import java.math.BigInteger;
import java.net.InetSocketAddress;
import java.nio.file.Paths;
import java.util.List;
import java.util.Optional;
import javax.xml.bind.JAXBException;
......@@ -63,8 +64,8 @@ import org.ow2.authzforce.core.pdp.impl.expression.DepthLimitingExpressionFactor
import org.ow2.authzforce.core.pdp.impl.func.FunctionRegistry;
import org.ow2.authzforce.core.pdp.impl.func.StandardFunction;
import org.ow2.authzforce.core.pdp.impl.io.PdpEngineAdapters;
import org.ow2.authzforce.core.pdp.testutil.XacmlXmlPdpTest;
import org.ow2.authzforce.core.pdp.testutil.TestUtils;
import org.ow2.authzforce.core.pdp.testutil.XacmlXmlPdpTest;
import org.ow2.authzforce.core.pdp.testutil.ext.MongoDbPolicyProvider;
import org.ow2.authzforce.core.pdp.testutil.ext.PolicyPojo;
import org.ow2.authzforce.core.pdp.testutil.ext.xmlns.MongoDBBasedPolicyProviderDescriptor;
......@@ -72,7 +73,6 @@ import org.ow2.authzforce.core.xmlns.pdp.Pdp;
import org.ow2.authzforce.xacml.Xacml3JaxbHelper;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyProvider;
import com.google.common.base.Charsets;
import com.mongodb.MongoClient;
import com.mongodb.ServerAddress;
......@@ -83,29 +83,34 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicySet;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
public class MongoDBRefPolicyProviderTest
/**
* Test class for {@link MongoDbPolicyProvider}
*
*/
public class MongoDbPolicyProviderTest
{
private static MongoServer DB_SERVER;
private static MongoCollection POLICY_COLLECTION;
private static String[] SAMPLE_POLICY_FILENAMES = { "permit-all-policy-0.1.0.xml", "permit-all-policy-0.1.xml", "permit-all-policyset-0.1.0.xml", "root-rbac-policyset-0.1.xml",
"root-rbac-policyset-1.2.xml", "rbac-pps-employee-1.0.xml" };
private static CloseablePolicyProvider POLICY_PROVIDER_MODULE;
private static CloseablePolicyProvider<?> POLICY_PROVIDER_MODULE;
@BeforeClass
public static void setUpBeforeClass() throws Exception
{
final PdpModelHandler pdpModelHandler = new PdpModelHandler("classpath:catalog.xml", "classpath:pdp-ext.xsd");
final Pdp pdpConf;
try (final InputStream is = MongoDBRefPolicyProviderTest.class.getResourceAsStream(XacmlXmlPdpTest.PDP_CONF_FILENAME))
try (final InputStream is = MongoDbPolicyProviderTest.class.getResourceAsStream(XacmlXmlPdpTest.PDP_CONF_FILENAME))
{
pdpConf = pdpModelHandler.unmarshal(new StreamSource(is), Pdp.class);
}
final AbstractPolicyProvider policyProviderConf = pdpConf.getPolicyProvider();
if (!(policyProviderConf instanceof MongoDBBasedPolicyProviderDescriptor))
final List<AbstractPolicyProvider> policyProviderConfs = pdpConf.getPolicyProviders();
final AbstractPolicyProvider policyProviderConf;
if (policyProviderConfs.size() != 1 || !((policyProviderConf = policyProviderConfs.get(0)) instanceof MongoDBBasedPolicyProviderDescriptor))
{
throw new RuntimeException("Invalid type of refPolicyProvider in pdp.xml. Expected: " + MongoDBBasedPolicyProviderDescriptor.class);
throw new RuntimeException("Not exactly one or invalid type of policyProvider in pdp.xml. Expected: one " + MongoDBBasedPolicyProviderDescriptor.class);
}
final MongoDBBasedPolicyProviderDescriptor mongodbBasedPolicyProviderConf = (MongoDBBasedPolicyProviderDescriptor) policyProviderConf;
......@@ -117,7 +122,7 @@ public class MongoDBRefPolicyProviderTest
try (final ExpressionFactory expressionFactory = new DepthLimitingExpressionFactory(valFactoryReg, funcReg, null, 0, false, false))
{
POLICY_PROVIDER_MODULE = new MongoDbPolicyProvider.Factory().getInstance(mongodbBasedPolicyProviderConf, XacmlJaxbParsingUtils.getXacmlParserFactory(false), 10, expressionFactory,
StandardCombiningAlgorithm.REGISTRY, null);
StandardCombiningAlgorithm.REGISTRY, null, Optional.empty());
}
/*
......@@ -143,9 +148,9 @@ public class MongoDBRefPolicyProviderTest
for (final String policyFilename : SAMPLE_POLICY_FILENAMES)
{
final String policyContent;
try (final InputStream is = MongoDBRefPolicyProviderTest.class.getResourceAsStream(policyFilename))
try (final InputStream is = MongoDbPolicyProviderTest.class.getResourceAsStream(policyFilename))
{
policyContent = IOUtils.toString(is, Charsets.UTF_8.name());
policyContent = IOUtils.toString(is, IOUtils.UTF8_CHARSET.name());
}
final Object jaxbObj = unmarshaller.unmarshal(new StringReader(policyContent));
final String policyTypeId;
......
......@@ -18,6 +18,7 @@
package org.ow2.authzforce.core.pdp.testutil.test;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import java.io.IOException;
......@@ -40,8 +41,8 @@ import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType;
import org.ow2.authzforce.core.pdp.impl.BasePdpEngine;
import org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration;
import org.ow2.authzforce.core.pdp.impl.io.PdpEngineAdapters;
import org.ow2.authzforce.core.pdp.testutil.XacmlXmlPdpTest;
import org.ow2.authzforce.core.pdp.testutil.TestUtils;
import org.ow2.authzforce.core.pdp.testutil.XacmlXmlPdpTest;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicyIssuer;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
......@@ -206,14 +207,16 @@ public class PdpGetStaticApplicablePoliciesTest
: TestUtils.newPdpEngineConfiguration(rootPolicyFile, false, Optional.empty(), null, null);
try (final PdpEngineInoutAdapter<Request, Response> pdp = PdpEngineAdapters.newXacmlJaxbInoutAdapter(pdpEngineConf))
{
final Iterator<PrimaryPolicyMetadata> staticApplicablePolicies = pdp.getApplicablePolicies().iterator();
assertTrue("No root policy in PDP's applicable policies (statically resolved)", staticApplicablePolicies != null && staticApplicablePolicies.hasNext());
assertEquals("Invalid root policy in PDP's applicable policies (statically resolved)", ROOT_POLICYSET_METADATA, staticApplicablePolicies.next());
final Iterable<PrimaryPolicyMetadata> staticApplicablePolicies = pdp.getApplicablePolicies();
assertNotNull("One of the policies may not be statically resolved", staticApplicablePolicies);
final Iterator<PrimaryPolicyMetadata> staticApplicablePoliciesIterator = pdp.getApplicablePolicies().iterator();
assertTrue("No root policy in PDP's applicable policies (statically resolved)", staticApplicablePoliciesIterator.hasNext());
assertEquals("Invalid root policy in PDP's applicable policies (statically resolved)", ROOT_POLICYSET_METADATA, staticApplicablePoliciesIterator.next());
for (final PrimaryPolicyMetadata expectedRefPolicyMeta : REF_POLICYSET_METADATA_SET)
{
assertTrue("No (more) referenced policy in PDP's applicable policies (statically resolved) although expected", staticApplicablePolicies.hasNext());
assertEquals("Invalid referenced policy in PDP's applicable policies (statically resolved)", expectedRefPolicyMeta, staticApplicablePolicies.next());
assertTrue("No (more) referenced policy in PDP's applicable policies (statically resolved) although expected", staticApplicablePoliciesIterator.hasNext());
assertEquals("Invalid referenced policy in PDP's applicable policies (statically resolved)", expectedRefPolicyMeta, staticApplicablePoliciesIterator.next());
}
}
......
<?xml version="1.0" encoding="UTF-8"?>
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" version="7.1" maxPolicyRefDepth="1">
<policyProvider id="refPolicyprovider" xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/policies/*.xml</policyLocation>
<xacml:PolicySet xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="root" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<xacml:Description>Root PolicySet. Test for a valid PolicySetIdReference.</xacml:Description>
<xacml:Target />
<xacml:PolicySet PolicySetId="RPS:Employee" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<xacml:Description>
Employee Role PolicySet
</xacml:Description>
<xacml:Target>
<xacml:AnyOf>
<xacml:AllOf>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</xacml:AttributeValue>
<xacml:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</xacml:Match>
</xacml:AllOf>
</xacml:AnyOf>
</xacml:Target>
<xacml:PolicySetIdReference>PPS:Employee</xacml:PolicySetIdReference>
</xacml:PolicySet>
</xacml:PolicySet>
</policyProvider>
<rootPolicyRef>root</rootPolicyRef>
</pdp>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="PPS:Employee" Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>Permissions specific to the Employee role</Description>
<Target />
<Policy PolicyId="PP:Employee" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target />
<Rule RuleId="Permission_to_create_issue_ticket" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">https://acme.com/ticketmanagementservice/tickets</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
<ObligationExpressions>
<!-- Obligation to confirm that this PolicySet was used/evaluated via PolicySetReference in root PolicySet -->
<ObligationExpression FulfillOn="Permit" ObligationId="PPS:Employee:obligation" />
</ObligationExpressions>
</PolicySet>
<?xml version="1.0" encoding="utf-8"?>
<Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bsimpson</AttributeValue>
</Attribute>
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id">