Commit 196030b9 authored by cdanger's avatar cdanger
Browse files

Merge branch 'release/15.2.0'

Conflicts:
	CHANGELOG.md
parents 597b0834 3a8ed7d6
......@@ -6,6 +6,17 @@ All notable changes to this project are documented in this file following the [K
- Issues reported on [OW2's GitLab](https://gitlab.ow2.org/authzforce/core/issues) are referenced in the form of `[GL-N]`, where N is the issue number.
## 15.2.0
### Changed
- Upgraded parent project: 7.6.0
- Upgraded dependencies:
- authzforce-ce-xacml-json-model: 2.3.0
- org.everit.json.schema: 1.12.1
- authzforce-ce-core-pdp-api: 16.3.0
- jongo: 1.4.1
- spring-core: 5.1.14
## 15.1.0
### Changed
- Dependency authzforce-ce-core-pdp-api version changed to 16.2.0: removes class overlap at runtime between dependency `javax.mail:javax.mail-api` of `authzforce-ce-core-pdp-api` and `com.sun.mail:javax.mail` that this project depends on
......@@ -67,6 +78,9 @@ All notable changes to this project are documented in this file following the [K
- mailapi replaced with javax.mail-api: 1.6.0
- Spring: 4.3.18 (fixes CVE)
- authzforce-ce-xacml-json-model: 2.1.0
- XML schema for AuthzForce test extensions (namespace `http://authzforce.github.io/core/xmlns/test/3`, located in file `org.ow2.authzforce.core.pdp.testutil.ext.xsd`) has been modified, esp. names of XML types, in order to avoid confusion between schema-derived (JAXB-annotated) classes describing the configuration of an AuthzForce extension, and its corresponding Java (logic) implementation:
- XML type `TestAttributeProvider` renamed to `TestAttributeProviderDescriptor`;
- XML type `MongoDBBasedPolicyProvider`renamed to `MongoDBBasedPolicyProviderDescriptor`.
- Copyright company name
### Added
......
......@@ -5,4 +5,5 @@
- Make sure all your custom PolicyProviders implement the new PolicyProvider interfaces, i.e. BaseStaticPolicyProvider or, as fallback option, CloseableStaticPolicyProvider
- Modify the PDP configuration (XML):
- Merge 'rootPolicyProvider' and 'refPolicyprovider' into one 'policyProvider' using the new 'StaticPolicyProvider' type if you were using 'StaticRefPolicyprovider' or 'StaticRootPolicyProvider', else your new custom PolicyProvider types if you were using custom ones.
- Add 'rootPolicyRef' element with policyId of the root policy.
\ No newline at end of file
- Add 'rootPolicyRef' element with policyId of the root policy.
- If you are migrating from v13.2.0 or lower, and using either `TestAttributeProvider` or `MongoDBBasedPolicyProvider` types in XML namespace `http://authzforce.github.io/core/xmlns/test/3`, you must rename them to `TestAttributeProviderDescriptor` and `MongoDBBasedPolicyProviderDescriptor` respectively.
......@@ -12,7 +12,7 @@ AuthzForce Core may be used in the following ways:
- Java API: you may use AuthzForce Core from your Java code to instantiate an embedded Java PDP.
- CLI (Command-Line Interface): you may call AuthzForce Core PDP engine from the command-line (e.g. in a script) by running the provided executable.
*HTTP/REST API: if you are interested in using a HTTP/REST API compliant with [REST Profile of XACML 3.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html), check the [AuthzForce RESTful PDP project](http://github.com/authzforce/restful-pdp) and [AuthzForce server project](http://github.com/authzforce/server).*
***HTTP/REST server**: if you are interested in using a HTTP/REST API compliant with [REST Profile of XACML 3.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html), check the [AuthzForce RESTful PDP project](http://github.com/authzforce/restful-pdp) and [AuthzForce server project](http://github.com/authzforce/server).*
## Features
* Compliance with the following OASIS XACML 3.0 standards:
......@@ -34,13 +34,16 @@ AuthzForce Core may be used in the following ways:
* CLI (Command-Line Interface): basically an executable that you can run from the command-line to test the engine;
*HTTP/REST API compliant with [REST Profile of XACML 3.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html) is provided by [AuthzForce RESTful PDP project](http://github.com/authzforce/restful-pdp) for PDP only, and [AuthzForce server project](http://github.com/authzforce/server) for PDP and PAP with multi-tenancy.*
* Safety/Security:
* Safety & Security:
* Prevention of circular XACML policy references (PolicyIdReference/PolicySetIdReference) as mandated by [XACML 3.0](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047192);
* Control of the **maximum XACML PolicyIdReference/PolicySetIdReference depth**;
* Prevention of circular XACML variable references (VariableReference) as mandated by [XACML 3.0](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047185);
* Control of the **maximum XACML VariableReference depth**;
* Optional **strict multivalued attribute parsing**: if enabled, multivalued attributes must be formed by grouping all `AttributeValue` elements in the same Attribute element (instead of duplicate Attribute elements); this does not fully comply with [XACML 3.0 Core specification of Multivalued attributes (§7.3.3)](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047176), but it usually performs better than the default mode since it simplifies the parsing of attribute values in the request.
* Optional **strict attribute Issuer matching**: if enabled, `AttributeDesignators` without Issuer only match request Attributes without Issuer (and same AttributeId, Category...); this option is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present on a AttributeDesignator; but it is the recommended option when all AttributeDesignators have an Issuer (the XACML 3.0 specification (5.29) says: *If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone.*);
* Performance:
* Optional **strict multivalued attribute parsing**: if enabled, multivalued attributes must be formed by grouping all `AttributeValue` elements in the same Attribute element (instead of duplicate Attribute elements); this does not fully comply with [XACML 3.0 Core specification of Multivalued attributes (§7.3.3)](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047176), but it usually performs better than the default mode since it simplifies the parsing of attribute values in the request.
* Optional **strict attribute Issuer matching**: if enabled, `AttributeDesignators` without Issuer only match request Attributes without Issuer (and same AttributeId, Category...); this option is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present on a AttributeDesignator; but it is the recommended option for better performance when all AttributeDesignators have an Issuer (the XACML 3.0 specification (5.29) says: *If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone.*);
* **Optimal integer data-type** implementation: the `maxIntegerValue` configuration parameter (expected maximum absolute value in XACML attributes of type `http://www.w3.org/2001/XMLSchema#integer`) helps the PDP choose the most efficient Java data-type. By default, the XACML/XML type `http://www.w3.org/2001/XMLSchema#integer` is mapped to the larger Java data-type: `BigInteger`. However, this may be overkill for example in the case of integer attributes representing the age of a person; in this case, the `Short` type is more appropriate and especially more efficient. Therefore, decreasing the `maxIntegerValue` value as much as possible, based on the range you expect your integer values to fit in, makes the PDP engine more efficient on integer handling: lower memory consumption, faster computations.
* **Pluggable Decision Cache**: you can plug-in your own XACML Decision Cache mechanism to speed up evaluation of (repetitive) requests. See down below for more info (Decision Cache extension).
* Extensibility points:
* **[Attribute Datatypes](https://github.com/authzforce/core/wiki/XACML-Data-Types)**: you may extend the PDP engine with custom XACML attribute datatypes;
* **[Functions](https://github.com/authzforce/core/wiki/XACML-Functions)**: you may extend the PDP engine with custom XACML functions;
......@@ -69,8 +72,6 @@ See the [change log](CHANGELOG.md) following the *Keep a CHANGELOG* [conventions
## License
See the [license file](LICENSE).
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fauthzforce%2Fcore.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fauthzforce%2Fcore?ref=badge_large)
## System requirements
......@@ -235,6 +236,9 @@ You will need an extra dependency as well, available from Maven Central:
* artifactId: `authzforce-ce-core-pdp-io-xacml-json`;
* packaging: `jar`.
##### Evaluating Requests in other formats
You can support other non-XACML formats of access requests (resp. responses), including your own, by implementing your own [Request Preprocessor](https://github.com/authzforce/core/wiki/XACML-Request-Preprocessors) (resp. [Result Postprocessor](https://github.com/authzforce/core/wiki/XACML-Result-Postprocessors) ).
##### Logging
Our PDP implementation uses SLF4J for logging so you can use any SLF4J implementation to manage logging. The CLI executable includes logback implementation, so you can use logback configuration file, e.g. [logback.xml](pdp-testutils/src/test/resources/logback.xml), for configuring loggers, appenders, etc.
......
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>15.1.0</version>
<version>15.2.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-cli</artifactId>
......@@ -30,12 +30,12 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
<version>15.1.0</version>
<version>15.2.0</version>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
<version>15.1.0</version>
<version>15.2.0</version>
</dependency>
<dependency>
<groupId>org.testng</groupId>
......@@ -46,7 +46,7 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
<version>15.1.0</version>
<version>15.2.0</version>
<scope>test</scope>
</dependency>
</dependencies>
......
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>15.1.0</version>
<version>15.2.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
......
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>15.1.0</version>
<version>15.2.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
......@@ -21,7 +21,7 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-xacml-json-model</artifactId>
<version>2.2.0</version>
<version>2.3.0</version>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
......@@ -41,7 +41,7 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
<version>15.1.0</version>
<version>15.2.0</version>
<scope>test</scope>
</dependency>
</dependencies>
......
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>15.1.0</version>
<version>15.2.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
......@@ -23,7 +23,7 @@
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core-pdp-engine</artifactId>
<version>15.1.0</version>
<version>15.2.0</version>
</dependency>
<dependency>
<groupId>org.mongodb</groupId>
......@@ -32,16 +32,10 @@
<!-- Version must match the one defined in Jongo's pom.xml -->
<version>3.5.0</version>
</dependency>
<dependency>
<!-- Fix CVE-2018-1000873 on Jongo dependency -->
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.10.1</version>
</dependency>
<dependency>
<groupId>org.jongo</groupId>
<artifactId>jongo</artifactId>
<version>1.4.0</version>
<version>1.4.1</version>
</dependency>
<dependency>
<groupId>junit</groupId>
......@@ -83,6 +77,55 @@
<version>1.7.0</version>
<scope>test</scope>
</dependency>
<!-- Other XACML engines -->
<dependency>
<groupId>com.att.research.xacml</groupId>
<artifactId>xacml-pdp</artifactId>
<version>2.0.1</version>
<exclusions>
<exclusion>
<!-- Replaced with jcl-over-slf4j depended on by AuthzForce -->
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.wso2.balana</groupId>
<artifactId>org.wso2.balana</artifactId>
<version>1.2.3</version>
<exclusions>
<exclusion>
<!-- Replaced with jcl-over-slf4j depended on by AuthzForce -->
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
<exclusion>
<!-- already in org.wso2.balana bundle -->
<groupId>org.wso2.balana</groupId>
<artifactId>org.wso2.balana.utils</artifactId>
</exclusion>
<exclusion>
<!-- Overlaps slf4j, logback -->
<groupId>org.ops4j.pax.logging</groupId>
<artifactId>pax-logging-api</artifactId>
</exclusion>
</exclusions>
<scope>test</scope>
</dependency>
<!-- <dependency> -->
<!-- Do not use WSO2 version of xercesImpl. See https://github.com/wso2/balana/issues/82 . This org.wso2.balana.utils runtime dependency overlaps with att xacml-pdp's dependency xml-apis -->
<!-- <groupId>xerces.wso2</groupId> -->
<!-- <artifactId>xercesImpl</artifactId> -->
<!-- <version>2.8.1.wso2v2</version> -->
<!-- </dependency> -->
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.12.0</version>
<scope>test</scope>
</dependency>
<!-- /Test dependencies -->
</dependencies>
<build>
......
......@@ -18,7 +18,6 @@
*/
package org.apache.coheigea.cxf.sts.xacml.common;
import java.net.URI;
import java.util.ArrayList;
import java.util.List;
......@@ -32,39 +31,48 @@ import org.apache.cxf.sts.claims.ProcessedClaimCollection;
/**
* A ClaimsHandler implementation that works with Roles.
*/
public class RolesClaimsHandler implements ClaimsHandler {
public class RolesClaimsHandler implements ClaimsHandler
{
public static final URI ROLE =
URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
public ProcessedClaimCollection retrieveClaimValues(
ClaimCollection claims, ClaimsParameters parameters) {
if (claims != null && claims.size() > 0) {
ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
for (Claim requestClaim : claims) {
ProcessedClaim claim = new ProcessedClaim();
claim.setClaimType(requestClaim.getClaimType());
if (ROLE.equals(requestClaim.getClaimType())) {
claim.setIssuer("STS");
if ("alice".equals(parameters.getPrincipal().getName())) {
claim.addValue("boss");
claim.addValue("employee");
} else if ("bob".equals(parameters.getPrincipal().getName())) {
claim.addValue("employee");
}
}
claimCollection.add(claim);
}
return claimCollection;
}
return null;
}
public static final String ROLE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
public List<URI> getSupportedClaimTypes() {
List<URI> list = new ArrayList<URI>();
list.add(ROLE);
return list;
}
@Override
public ProcessedClaimCollection retrieveClaimValues(final ClaimCollection claims, final ClaimsParameters parameters)
{
if (claims != null && claims.size() > 0)
{
final ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
for (final Claim requestClaim : claims)
{
final ProcessedClaim claim = new ProcessedClaim();
claim.setClaimType(requestClaim.getClaimType());
if (ROLE.equals(requestClaim.getClaimType()))
{
claim.setIssuer("STS");
if ("alice".equals(parameters.getPrincipal().getName()))
{
claim.addValue("boss");
claim.addValue("employee");
}
else if ("bob".equals(parameters.getPrincipal().getName()))
{
claim.addValue("employee");
}
}
claimCollection.add(claim);
}
return claimCollection;
}
return null;
}
@Override
public List<String> getSupportedClaimTypes()
{
final List<String> list = new ArrayList<>();
list.add(ROLE);
return list;
}
}
/**
* Copyright 2012-2020 THALES.
*
* This file is part of AuthzForce CE.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.ow2.authzforce.core.pdp.testutil.test;
import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringReader;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.DirectoryIteratorException;
import java.nio.file.DirectoryStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Optional;
import java.util.Properties;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.junit.runners.Parameterized.Parameters;
import org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor;
import org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor;
import org.ow2.authzforce.core.pdp.api.XmlUtils;
import org.ow2.authzforce.core.pdp.api.XmlUtils.XmlnsFilteringParser;
import org.ow2.authzforce.core.pdp.api.XmlUtils.XmlnsFilteringParserFactory;
import org.ow2.authzforce.core.pdp.api.io.BaseXacmlJaxbResultPostprocessor;
import org.ow2.authzforce.core.pdp.api.io.IndividualXacmlJaxbRequest;
import org.ow2.authzforce.core.pdp.api.io.PdpEngineInoutAdapter;
import org.ow2.authzforce.core.pdp.api.io.XacmlJaxbParsingUtils;
import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry;
import org.ow2.authzforce.core.pdp.api.value.StandardAttributeValueFactories;
import org.ow2.authzforce.core.pdp.impl.BasePdpEngine;
import org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration;
import org.ow2.authzforce.core.pdp.impl.io.PdpEngineAdapters;
import org.ow2.authzforce.core.pdp.impl.io.SingleDecisionXacmlJaxbRequestPreprocessor;
import org.ow2.authzforce.core.pdp.testutil.TestUtils;
import org.ow2.authzforce.xacml.Xacml3JaxbHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.ResourceUtils;
import org.wso2.balana.ConfigurationStore;
import org.wso2.balana.PDP;
import org.wso2.balana.PDPConfig;
import org.wso2.balana.ParsingException;
import org.wso2.balana.UnknownIdentifierException;
import org.wso2.balana.ctx.AbstractRequestCtx;
import org.wso2.balana.ctx.RequestCtxFactory;
import org.wso2.balana.ctx.ResponseCtx;
import org.wso2.balana.finder.impl.FileBasedPolicyFinderModule;
import com.att.research.xacml.api.pdp.PDPEngine;
import com.att.research.xacml.api.pdp.PDPEngineFactory;
import com.att.research.xacml.api.pdp.PDPException;
import com.att.research.xacml.std.dom.DOMRequest;
import com.att.research.xacml.std.dom.DOMResponse;
import com.att.research.xacml.std.dom.DOMStructureException;
import com.att.research.xacml.util.FactoryException;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
/**
* Comparative testing of XACML PDP Engines: AuthzForce, AT&T XACML, WSO2 Balana.
*
*/
@RunWith(value = Parameterized.class)
public class ComparativePdpTest
{
/**
* Name of root directory that contains test resources for each test
*/
public final static String TEST_RESOURCES_ROOT_DIRECTORY_LOCATION = "target/test-classes/ComparativePdpTest";
/**
* XACML request filename
*/
public final static String REQUEST_FILENAME = "request.xml";
/**
* XACML policy filename
*/
public final static String POLICY_FILENAME = "policy.xml";
/**
* Expected XACML response filename
*/
public final static String EXPECTED_RESPONSE_FILENAME = "response.xml";
/**
* AuthzForce PDP configuration directory, relative to TEST_RESOURCES_ROOT_DIRECTORY_LOCATION
*/
public static final String AUTHZFORCE_CE_PDP_CONF_DIRNAME = "configs/authzforce-ce";
/**
* Name of system property to be set to the current test case's directory, and used in AuthzForce PDP config
*/
public static final String TEST_CASE_DIR_SYS_PROP_NAME = "org.ow2.authzforce.test.case.dir";
/**
* ATT-XACML PDP configuration directory, relative to TEST_RESOURCES_ROOT_DIRECTORY_LOCATION
*/
public static final String ATT_XACML_PDP_CONF_DIRNAME = "configs/att-xacml";
/**
* ATT-XACML PDP config filename
*/
public static final String ATT_XACML_PDP_CONF_FILENAME = "xacml.properties";
/**
* WSO2 Balana PDP configuration directory, relative to TEST_RESOURCES_ROOT_DIRECTORY_LOCATION
*/
public static final String WSO2_BALANA_PDP_CONF_DIRNAME = "configs/wso2-balana";
/**
* WSO2 Balana PDP configuration filename
*/
public static final String WSO2_BALANA_PDP_CONF_FILENAME = "balana.xml";
private static final Logger LOGGER = LoggerFactory.getLogger(ComparativePdpTest.class);
private static final XmlnsFilteringParserFactory XACML_PARSER_FACTORY = XacmlJaxbParsingUtils.getXacmlParserFactory(false);
private interface PdpEngineInvoker
{
/**
* Policy evaluation
*
* @param testCaseDirPath
* case directory where policy, request and expected response file for the given test case are located input XACML request
* @return output XACML response
* @throws IOException
* @throws JAXBException
* error unmarshalling output XACML response with JAXB API
*/
Response eval(Path testCaseDirPath) throws IOException, JAXBException;
}
private static final class AuthzForcePdpEngineInvoker implements PdpEngineInvoker
{
private static final AttributeValueFactoryRegistry STD_ATTRIBUTE_VALUE_FACTORIES = StandardAttributeValueFactories.getRegistry(false, Optional.empty());
private static final DecisionRequestPreprocessor<Request, IndividualXacmlJaxbRequest> DEFAULT_XACML_JAXB_REQ_PREPROC = SingleDecisionXacmlJaxbRequestPreprocessor.LaxVariantFactory.INSTANCE
.getInstance(STD_ATTRIBUTE_VALUE_FACTORIES, false, false, XmlUtils.SAXON_PROCESSOR, Collections.emptySet());
private static final DecisionResultPostprocessor<IndividualXacmlJaxbRequest, Response> DEFAULT_XACML_JAXB_RESULT_POSTPROC = new BaseXacmlJaxbResultPostprocessor(0);
private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
// private static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newInstance();
static
{
XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_COALESCING, Boolean.FALSE);
XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.TRUE);
XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.TRUE);
XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE);
XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
/*
* TODO: set Woodstox-specific output properties
*/
}
private static final String PDP_CONF_FILENAME = "pdp.xml";
private static final String XML_CATALOG_FILENAME = "catalog.xml";
private static final String PDP_EXT_XSD_FILENAME = "pdp-ext.xsd";
private final String catalogLocation;
private final String extXsdLocation;
private final File pdpConfFile;
private AuthzForcePdpEngineInvoker(final Path pdpConfigurationDirectoryPath) throws IllegalArgumentException
{
this.catalogLocation = pdpConfigurationDirectoryPath.resolve(XML_CATALOG_FILENAME).toString();
this.extXsdLocation = pdpConfigurationDirectoryPath.resolve(PDP_EXT_XSD_FILENAME).toString();
this.pdpConfFile = pdpConfigurationDirectoryPath.resolve(PDP_CONF_FILENAME).toFile();
}
@Override
public Response eval(final Path testCaseDirPath) throws IOException, JAXBException
{
System.setProperty(TEST_CASE_DIR_SYS_PROP_NAME, testCaseDirPath.toAbsolutePath().toString());
final PdpEngineConfiguration pdpConf = PdpEngineConfiguration.getInstance(pdpConfFile, catalogLocation, extXsdLocation);
final Path requestFilePath = testCaseDirPath.resolve(REQUEST_FILENAME);
// try
// {
/*
* FIXME: reuse the same Unmarshaller per thread (JAXB RI's Unmarshaller is not thread safe officially).
*/
final Unmarshaller unmarshaller = Xacml3JaxbHelper.XACML_3_0_JAXB_CONTEXT.createUnmarshaller();
/*
* WARNING: No XACML schema validation for fair comparison with other PdpEngines, because there is none in other PdpEngines, although it is easy to do with AuthzForce
*/
final Request xacmlRequest;
try (final FileInputStream fis = new FileInputStream(requestFilePath.toFile()); final BufferedInputStream is = new BufferedInputStream(fis);)
{
// xacmlRequest = (Request) unmarshaller.unmarshal(is);
final XMLStreamReader xmlReader = XML_INPUT_FACTORY.createXMLStreamReader(is);
xacmlRequest = (Request) unmarshaller.unmarshal(xmlReader);
}
catch (final XMLStreamException e)
{
throw new IllegalArgumentException("AuthzForce PDP engine - Bad input XML", e);
}
try (final PdpEngineInoutAdapter<Request, Response> xacmlJaxbIoPdp = PdpEngineAdapters.newInoutAdapter(Request.class, Response.class, new BasePdpEngine(pdpConf),
DEFAULT_XACML_JAXB_REQ_PREPROC, DEFAULT_XACML_JAXB_RESULT_POSTPROC))
{
final Response xacmlResponse = xacmlJaxbIoPdp.evaluate(xacmlRequest);
return xacmlResponse;
}
}
}
private static final class AttXacmlPdpEngineInvoker implements PdpEngineInvoker
{
private final PDPEngineFactory pdpEngineFactory;
private final File pdpConfFile;
private AttXacmlPdpEngineInvoker(final Path pdpConfigurationDirectoryPath) throws IllegalArgumentException
{
try
{
pdpEngineFactory = PDPEngineFactory.newInstance();
}
catch (final FactoryException e)
{
throw new IllegalArgumentException("ATT XACML engine - Init error", e);
}