Commit 224979f3 authored by cdanger's avatar cdanger

- Fixed duplicate StandardCombiningAlgorithm id

- Fixed NPE in RootPolicyProvider modules
parent 368ae782
......@@ -24,14 +24,15 @@ import java.util.Set;
import org.ow2.authzforce.core.pdp.api.PdpExtension;
import org.ow2.authzforce.core.pdp.api.PdpExtensionRegistry;
import com.koloboke.collect.map.ObjObjMap;
import com.google.common.base.Function;
import com.google.common.base.Preconditions;
import com.google.common.collect.Maps;
import com.koloboke.collect.map.hash.HashObjObjMaps;
import com.koloboke.collect.set.hash.HashObjSets;
/**
* This is a base implementation of <code>PdpExtensionRegistry</code>. This should be used as basis to implement (in a
* final class) an immutable PDP extension registry of a specific type. If you need a generic immutable PDP extension
* registry, see {
* This is a base implementation of <code>PdpExtensionRegistry</code>. This should be used as basis to implement (in a final class) an immutable PDP extension registry of a specific type. If you need
* a generic immutable PDP extension registry, see {
*
* @param <T>
* type of extension in this registry
......@@ -49,11 +50,10 @@ public abstract class BasePdpExtensionRegistry<T extends PdpExtension> implement
*
* @param extensionClass
* extension class
* @param extensions
* extensions input map; the registry actually creates and uses an immutable copy of this map internally
* to avoid external modifications on the internal map
* @param extensionsById
* extensions input map; the registry actually creates and uses an immutable copy of this map internally to avoid external modifications on the internal map
*/
protected BasePdpExtensionRegistry(Class<? super T> extensionClass, Map<String, T> extensionsById)
protected BasePdpExtensionRegistry(final Class<? super T> extensionClass, final Map<String, T> extensionsById)
{
assert extensionClass != null && extensionsById != null;
......@@ -64,7 +64,7 @@ public abstract class BasePdpExtensionRegistry<T extends PdpExtension> implement
/** {@inheritDoc} */
@Override
public final T getExtension(String identity)
public final T getExtension(final String identity)
{
return extensionsById.get(identity);
}
......@@ -76,15 +76,24 @@ public abstract class BasePdpExtensionRegistry<T extends PdpExtension> implement
return HashObjSets.newImmutableSet(extensionsById.values());
}
private static <E extends PdpExtension> Map<String, E> newImmutableMap(Set<E> extensions)
private static final class ExtensionToIdFunction<E extends PdpExtension> implements Function<E, String>
{
final ObjObjMap<String, E> mutableMap = HashObjObjMaps.newUpdatableMap(extensions.size());
for (final E extension : extensions)
@Override
public String apply(final E extension) throws NullPointerException
{
mutableMap.put(extension.getId(), extension);
assert extension != null;
return Preconditions.checkNotNull(extension, "One of the input extensions is invalid (null)").getId();
}
return HashObjObjMaps.newImmutableMap(mutableMap);
}
private static final Function<? extends PdpExtension, String> EXTENSION_TO_ID_FUNCTION = new ExtensionToIdFunction<>();
@SuppressWarnings("unchecked")
private static <E extends PdpExtension> Map<String, E> newImmutableMap(final Set<E> extensions)
{
return Maps.uniqueIndex(extensions, (Function<E, String>) EXTENSION_TO_ID_FUNCTION);
}
/**
......@@ -95,7 +104,7 @@ public abstract class BasePdpExtensionRegistry<T extends PdpExtension> implement
* @param extensions
* extensions (required not null)
*/
protected BasePdpExtensionRegistry(Class<? super T> extensionClass, Set<T> extensions)
protected BasePdpExtensionRegistry(final Class<? super T> extensionClass, final Set<T> extensions)
{
this(extensionClass, newImmutableMap(extensions));
}
......
......@@ -18,41 +18,42 @@
*/
package org.ow2.authzforce.core.pdp.impl;
import java.util.Arrays;
import java.util.Map;
import org.ow2.authzforce.core.pdp.api.AttributeGUID;
import org.ow2.authzforce.xacml.identifiers.XACMLAttributeId;
import org.ow2.authzforce.xacml.identifiers.XACMLCategory;
import com.google.common.collect.Maps;
/**
* 10.2.5 Attributes
*
* The implementation MUST support the attributes associated with the following
* identifiers as specified by XACML. If values for these attributes are not
* present in the decision request, then their values MUST be supplied by the
* context handler. So, unlike most other attributes, their semantics are not
* transparent to the PDP.
* The implementation MUST support the attributes associated with the following identifiers as specified by XACML. If values for these attributes are not present in the decision request, then their
* values MUST be supplied by the context handler. So, unlike most other attributes, their semantics are not transparent to the PDP.
*/
public enum StandardEnvironmentAttribute {
public enum StandardEnvironmentAttribute
{
/**
* urn:oasis:names:tc:xacml:1.0:environment:current-time
*/
CURRENT_TIME(new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null,
XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_TIME.value())),
CURRENT_TIME(new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_TIME.value())),
/**
* urn:oasis:names:tc:xacml:1.0:environment:current-date
*/
CURRENT_DATE(new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null,
XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATE.value())),
CURRENT_DATE(new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATE.value())),
/**
* urn:oasis:names:tc:xacml:1.0:environment:current-dateTime
*/
CURRENT_DATETIME(new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null,
XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATETIME.value()));
CURRENT_DATETIME(new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATETIME.value()));
private final AttributeGUID attributeGUID;
private StandardEnvironmentAttribute(final AttributeGUID attributeGUID) {
private StandardEnvironmentAttribute(final AttributeGUID attributeGUID)
{
this.attributeGUID = attributeGUID;
}
......@@ -61,7 +62,33 @@ public enum StandardEnvironmentAttribute {
*
* @return attribute GUID (AttributeId, Issuer, Category)
*/
public AttributeGUID getGUID() {
public AttributeGUID getGUID()
{
return this.attributeGUID;
}
private static final Map<AttributeGUID, StandardEnvironmentAttribute> ID_TO_STD_ATTR_MAP = Maps.uniqueIndex(Arrays.asList(StandardEnvironmentAttribute.values()),
new com.google.common.base.Function<StandardEnvironmentAttribute, AttributeGUID>()
{
@Override
public AttributeGUID apply(final StandardEnvironmentAttribute input)
{
assert input != null;
return input.getGUID();
}
});
/**
* Get the standard environment attribute corresponding to the given ID
*
* @param attributeGUID
* standard attribute ID
* @return StandardEnvironmentAttribute corresponding to given ID, or null if there is no standard environment attribute with such ID
*/
public static StandardEnvironmentAttribute getInstance(final AttributeGUID attributeGUID)
{
return ID_TO_STD_ATTR_MAP.get(attributeGUID);
}
}
......@@ -45,6 +45,8 @@ import org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyProvider;
*/
public class CoreRefBasedRootPolicyProviderModule implements StaticRootPolicyProviderModule
{
private static final IllegalArgumentException NULL_REF_POLICY_PROVIDER_CONF = new IllegalArgumentException("Undefined refPolicyProvider. Root policy provider module '"
+ CoreRefBasedRootPolicyProviderModule.class + "' requires a refPolicyProvider module configuration to be defined.");
private static final IllegalArgumentException ILLEGAL_XML_CONF_ARG_EXCEPTION = new IllegalArgumentException("Undefined XML/JAXB configuration");
private static final IllegalArgumentException ILLEGAL_XACML_POLICY_REF_ARG_EXCEPTION = new IllegalArgumentException("Undefined XACML PolicySetIdReference");
......@@ -101,13 +103,18 @@ public class CoreRefBasedRootPolicyProviderModule implements StaticRootPolicyPro
* @param environmentProperties
* PDP configuration environment properties
* @throws IllegalArgumentException
* if {@code policySetRef} is null/invalid, or if {@code jaxbRefPolicyProviderConf != null && (expressionFactory == null || combiningAlgRegistry == null || xacmlParserFactory == null)}
* if {@code policySetRef} is null/invalid, or if {@code jaxbRefPolicyProviderConf == null || expressionFactory == null || combiningAlgRegistry == null || xacmlParserFactory == null}
* or no PolicySet matching {@code policySetRef} could be resolved by the refPolicyProvider
*/
public <CONF extends AbstractPolicyProvider> CoreRefBasedRootPolicyProviderModule(final IdReferenceType policyRef, final ExpressionFactory expressionFactory,
final CombiningAlgRegistry combiningAlgRegistry, final XACMLParserFactory xacmlParserFactory, final CONF jaxbRefPolicyProviderConf,
final RefPolicyProviderModule.Factory<CONF> refPolicyProviderModFactory, final int maxPolicySetRefDepth, final EnvironmentProperties environmentProperties) throws IllegalArgumentException
{
if (jaxbRefPolicyProviderConf == null)
{
throw NULL_REF_POLICY_PROVIDER_CONF;
}
/*
* The refPolicyProviderModule is not instantiated here but in the BaseRefPolicyProvider since it is the one using this resource (refPolicyProviderModule), therefore responsible for closing it
* (call Closeable#close()) when it is done using them. We apply the basic principle that is the class creating the resource, that manages/closes it.
......
......@@ -146,13 +146,30 @@ public class CoreRootPolicyProviderModule implements StaticRootPolicyProviderMod
* global PDP configuration environment properties
*
* @throws IllegalArgumentException
* if {@code jaxbPolicySet} is null/invalid, or if {@code jaxbRefPolicyProviderConf != null || expressionFactory == null || combiningAlgRegistry == null || xacmlParserFactory == null}
* or no PolicySet matching {@code policySetRef} could be resolved by the refPolicyProvider
* if {@code jaxbPolicySet } null/invalid, or {@code expressionFactory == null || combiningAlgRegistry == null || xacmlParserFactory == null}; OR ({@©code
* jaxbRefPolicyProviderConf != null} AND (refPolicyProviderModFactory == null OR xacmlParserFactory == null OR no PolicySet matching {@code policySetRef} could be resolved by the
* refPolicyProvider OR policy reference too deep (longer than maxPolicySetRefDepth))
*/
public <CONF extends AbstractPolicyProvider> CoreRootPolicyProviderModule(final PolicySet jaxbPolicySet, final Map<String, String> namespacePrefixesByURI,
final ExpressionFactory expressionFactory, final CombiningAlgRegistry combiningAlgRegistry, final XACMLParserFactory xacmlParserFactory, final CONF jaxbRefPolicyProviderConf,
final RefPolicyProviderModule.Factory<CONF> refPolicyProviderModFactory, final int maxPolicySetRefDepth, final EnvironmentProperties environmentProperties) throws IllegalArgumentException
{
if (jaxbRefPolicyProviderConf == null)
{
// refPolicyProvider null
try
{
rootPolicy = PolicyEvaluators.getInstanceStatic(jaxbPolicySet, null, namespacePrefixesByURI, expressionFactory, combiningAlgRegistry, null, null);
}
catch (final IllegalArgumentException e)
{
throw new IllegalArgumentException("Invalid PolicySet: " + jaxbPolicySet.getPolicySetId(), e);
}
return;
}
// jaxbRefPolicyProviderConf != null
try (final CloseableStaticRefPolicyProvider refPolicyProvider = new BaseStaticRefPolicyProvider(jaxbRefPolicyProviderConf, refPolicyProviderModFactory, xacmlParserFactory, expressionFactory,
combiningAlgRegistry, maxPolicySetRefDepth, environmentProperties))
{
......
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -22,23 +22,22 @@ import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;
import java.util.NavigableSet;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersion;
import org.ow2.authzforce.core.pdp.api.policy.VersionPatterns;
import com.google.common.collect.ImmutableSortedMap;
import com.google.common.collect.UnmodifiableIterator;
/**
* Policy versions sorted from latest version to oldest.
* <p>
* The choice to have the latest version in first position is motivated by §5.10
* of XACML core spec:
* The choice to have the latest version in first position is motivated by §5.10 of XACML core spec:
* "In the case that more than one matching version can be obtained, then the most recent one SHOULD be used."
*
* @param
* <P>
* policy type (or any other type of data corresponding to a specific
* policy version)
* @param <P>
* policy type (or any other type of data corresponding to a specific policy version)
*
* @version $Id: $
*/
......@@ -54,8 +53,7 @@ public final class PolicyVersions<P> implements Iterable<Entry<PolicyVersion, P>
*/
public PolicyVersions(final Map<PolicyVersion, P> versions)
{
policiesByVersion = versions == null ? ImmutableSortedMap.<PolicyVersion, P> of()
: ImmutableSortedMap.copyOf(versions, Collections.reverseOrder());
policiesByVersion = versions == null ? ImmutableSortedMap.<PolicyVersion, P> of() : ImmutableSortedMap.copyOf(versions, Collections.reverseOrder());
}
/**
......@@ -84,9 +82,7 @@ public final class PolicyVersions<P> implements Iterable<Entry<PolicyVersion, P>
if (versionPatterns == null)
{
/*
* Return the latest version which is the first element by design
* (TreeMap initialized with reverse order on version keys). See
* §5.10 of XACML core spec:
* Return the latest version which is the first element by design (TreeMap initialized with reverse order on version keys). See §5.10 of XACML core spec:
* "In the case that more than one matching version can be obtained, then the most recent one SHOULD be used."
*/
return versionPolicyPairsIterator.next();
......@@ -103,11 +99,8 @@ public final class PolicyVersions<P> implements Iterable<Entry<PolicyVersion, P>
final Entry<PolicyVersion, P> versionPolicyPair = versionPolicyPairsIterator.next();
final PolicyVersion version = versionPolicyPair.getKey();
/*
* Versions ordered by latest first, so check against constraints'
* LatestVersion pattern first. If LatestVersion is matched by this
* version, no need to check again for the next versions, as they
* are already sorted from latest to earliest. If LatestVersion not
* matched yet, we check now.
* Versions ordered by latest first, so check against constraints' LatestVersion pattern first. If LatestVersion is matched by this version, no need to check again for the next versions,
* as they are already sorted from latest to earliest. If LatestVersion not matched yet, we check now.
*/
if (!latestVersionMatched)
{
......@@ -120,9 +113,7 @@ public final class PolicyVersions<P> implements Iterable<Entry<PolicyVersion, P>
if (latestVersionMatched)
{
/*
* If EarliestVersion already checked and not matched before, we
* would have returned null (see below). So at this point,
* EarliestVersion is either not checked yet or already matched.
* If EarliestVersion already checked and not matched before, we would have returned null (see below). So at this point, EarliestVersion is either not checked yet or already matched.
* So EarliestVersion no checked iff not already matched.
*/
if (!earliestVersionMatched)
......@@ -131,10 +122,7 @@ public final class PolicyVersions<P> implements Iterable<Entry<PolicyVersion, P>
// check against EarliestVersion pattern
earliestVersionMatched = versionPatterns.matchEarliestVersion(version);
/*
* If still not matched, version cannot be in the
* [EarliestVersion, LatestVersion] interval. All next
* versions are earlier, so they cannot be either -> no
* match
* If still not matched, version cannot be in the [EarliestVersion, LatestVersion] interval. All next versions are earlier, so they cannot be either -> no match
*/
if (!earliestVersionMatched)
{
......@@ -164,4 +152,37 @@ public final class PolicyVersions<P> implements Iterable<Entry<PolicyVersion, P>
{
return policiesByVersion.entrySet().iterator();
}
/**
* Get number of versions
*
* @return number of policy versions
*/
public int size()
{
return this.policiesByVersion.size();
}
/**
* Get iterator over versions from oldest to latest
*
* @return unmodifiable iterator over versions from oldest to latest
*/
public UnmodifiableIterator<Entry<PolicyVersion, P>> oldestToLatestIterator()
{
/*
* The map is sorted from latest to oldest by default, so "descending" in this case means from oldest to latest
*/
return policiesByVersion.descendingMap().entrySet().iterator();
}
/**
* Get versions from latest to oldest
*
* @return versions from latest to oldest
*/
public NavigableSet<PolicyVersion> latestToOldestSet()
{
return policiesByVersion.keySet();
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment