Commit 3581dcf0 authored by cdanger's avatar cdanger

Added non-regression test for issue #21 (OW2 JIRA)

parent b2a8bb25
When handling the same XACML Request twice in the same JVM with the root PolicySet using deny-unless-permit algorithm over a Policy returning simple Deny (no status/obligation/advice) and a Policy returning Permit/Deny with obligations/advice, the obligation is duplicated in the final result at the second time this situation occurs.
Cause: the obligation/advice of the second policy is merged into the static variable systematically used for the simple Deny result.
This folder is the first part of test which consists to evaluate the first request.
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/3.6" version="3.6.4">
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/policy.xml" />
</pdp>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="urn:ow2:authzforce:xacml:3.0:non-regression-test:XX:policy"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"
Version="1.0">
<Description>
Policy for non-regression test of issue XX.
</Description>
<Target />
<Policy
PolicyId="urn:ow2:authzforce:xacml:3.0:non-regression-test:XX:not-applicable-policy" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">XXX</AttributeValue>
<AttributeDesignator
AttributeId="urn:ow2:authzforce:xacml:attribute:id:not-in-the-request"
Category="urn:ow2:authzforce:xacml:attribute:category:not-in-the-request"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
</AllOf>
</AnyOf>
</Target>
<!-- <ObligationExpressions> -->
<!-- <ObligationExpression FulfillOn="Deny" ObligationId="urn:ow2:authzforce:xacml:3.0:non-regression-test:XX:rule:obligation"> -->
<!-- <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:assignment1"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeValue> -->
<!-- </AttributeAssignmentExpression> -->
<!-- </ObligationExpression> -->
<!-- </ObligationExpressions> -->
<!-- <AdviceExpressions> -->
<!-- <AdviceExpression AppliesTo="Deny" AdviceId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:Advice-1"> -->
<!-- <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:assignment1"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeValue> -->
<!-- </AttributeAssignmentExpression> -->
<!-- <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicSingleValue"> -->
<!-- <AttributeDesignator -->
<!-- Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" -->
<!-- AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string" -->
<!-- MustBePresent="true"/> -->
<!-- </AttributeAssignmentExpression> -->
<!-- <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue"> -->
<!-- <AttributeDesignator -->
<!-- Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:other-doctor" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string" -->
<!-- MustBePresent="true"/> -->
<!-- </AttributeAssignmentExpression> -->
<!-- </AdviceExpression> -->
<!-- </AdviceExpressions> -->
</Policy>
<Policy
PolicyId="urn:ow2:authzforce:xacml:3.0:non-regression-test:XX:policy2" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target />
<ObligationExpressions>
<ObligationExpression FulfillOn="Deny"
ObligationId="urn:ow2:authzforce:xacml:3.0:non-regression-test:XX:policy2:obligation">
<!-- <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:assignment1"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeValue> -->
<!-- </AttributeAssignmentExpression> -->
</ObligationExpression>
</ObligationExpressions>
</Policy>
</PolicySet>
<?xml version="1.0" encoding="utf-8"?>
<Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<!-- <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">J. Hibbert</AttributeValue> -->
<!-- </Attribute> -->
<!-- <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:age"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">45</AttributeValue> -->
<!-- </Attribute> -->
</Attributes>
<!-- <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> -->
<!-- <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue> -->
<!-- </Attribute> -->
<!-- </Attributes> -->
<!-- <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> -->
<!-- <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> -->
<!-- </Attribute> -->
<!-- </Attributes> -->
<!-- <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"> -->
<!-- <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:bart-simpson-age"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">10</AttributeValue> -->
<!-- </Attribute> -->
<!-- <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:other-doctor"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C. Everet Koop</AttributeValue> -->
<!-- </Attribute> -->
<!-- <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:other-doctor"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Victor Frankenstein</AttributeValue> -->
<!-- </Attribute> -->
<!-- <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:other-doctor"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">John Jeckel</AttributeValue> -->
<!-- </Attribute> -->
<!-- </Attributes> -->
</Request>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<Response
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
<Result>
<Decision>Deny</Decision>
<!-- <Status> -->
<!-- <StatusCode -->
<!-- Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> -->
<!-- </Status> -->
<!-- <Obligations> -->
<!-- <Obligation -->
<!-- ObligationId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:obligation-1" > -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:assignment1" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicSingleValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">J. Hibbert</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">C. Everet Koop</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">Victor Frankenstein</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">John Jeckel</AttributeAssignment> -->
<!-- </Obligation> -->
<!-- </Obligations> -->
<!-- <AssociatedAdvice> -->
<!-- <Advice -->
<!-- AdviceId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:Advice-1"> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:assignment1" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicSingleValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">J. Hibbert</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">C. Everet Koop</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">Victor Frankenstein</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">John Jeckel</AttributeAssignment> -->
<!-- </Advice> -->
<!-- </AssociatedAdvice> -->
</Result>
</Response>
When handling the same XACML Request twice in the same JVM with the root PolicySet using deny-unless-permit algorithm over a Policy returning simple Deny (no status/obligation/advice) and a Policy returning Permit/Deny with obligations/advice, the obligation is duplicated in the final result at the second time this situation occurs.
Cause: the obligation/advice of the second policy is merged into the static variable systematically used for the simple Deny result.
This folder is the second part of test which consists to evaluate the second request. The bug is visible only in the result of this second evaluation (duplicate obligation).
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/3.6" version="3.6.4">
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/policy.xml" />
</pdp>
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicySetId="urn:ow2:authzforce:xacml:3.0:non-regression-test:XX:policy"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"
Version="1.0">
<Description>
Policy for non-regression test of issue XX.
</Description>
<Target />
<Policy
PolicyId="urn:ow2:authzforce:xacml:3.0:non-regression-test:XX:not-applicable-policy" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">XXX</AttributeValue>
<AttributeDesignator
AttributeId="urn:ow2:authzforce:xacml:attribute:id:not-in-the-request"
Category="urn:ow2:authzforce:xacml:attribute:category:not-in-the-request"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" />
</Match>
</AllOf>
</AnyOf>
</Target>
<!-- <ObligationExpressions> -->
<!-- <ObligationExpression FulfillOn="Deny" ObligationId="urn:ow2:authzforce:xacml:3.0:non-regression-test:XX:rule:obligation"> -->
<!-- <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:assignment1"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeValue> -->
<!-- </AttributeAssignmentExpression> -->
<!-- </ObligationExpression> -->
<!-- </ObligationExpressions> -->
<!-- <AdviceExpressions> -->
<!-- <AdviceExpression AppliesTo="Deny" AdviceId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:Advice-1"> -->
<!-- <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:assignment1"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeValue> -->
<!-- </AttributeAssignmentExpression> -->
<!-- <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicSingleValue"> -->
<!-- <AttributeDesignator -->
<!-- Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" -->
<!-- AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string" -->
<!-- MustBePresent="true"/> -->
<!-- </AttributeAssignmentExpression> -->
<!-- <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue"> -->
<!-- <AttributeDesignator -->
<!-- Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:other-doctor" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string" -->
<!-- MustBePresent="true"/> -->
<!-- </AttributeAssignmentExpression> -->
<!-- </AdviceExpression> -->
<!-- </AdviceExpressions> -->
</Policy>
<Policy
PolicyId="urn:ow2:authzforce:xacml:3.0:non-regression-test:XX:policy2" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target />
<ObligationExpressions>
<ObligationExpression FulfillOn="Deny"
ObligationId="urn:ow2:authzforce:xacml:3.0:non-regression-test:XX:policy2:obligation">
<!-- <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:assignment1"> -->
<!-- <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeValue> -->
<!-- </AttributeAssignmentExpression> -->
</ObligationExpression>
</ObligationExpressions>
</Policy>
</PolicySet>
<?xml version="1.0" encoding="utf-8"?>
<Request ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Request>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<Response
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
<Result>
<Decision>Deny</Decision>
<!-- <Status> -->
<!-- <StatusCode -->
<!-- Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> -->
<!-- </Status> -->
<!-- <Obligations> -->
<!-- <Obligation -->
<!-- ObligationId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:obligation-1" > -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:assignment1" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicSingleValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">J. Hibbert</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">C. Everet Koop</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">Victor Frankenstein</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">John Jeckel</AttributeAssignment> -->
<!-- </Obligation> -->
<!-- </Obligations> -->
<!-- <AssociatedAdvice> -->
<!-- <Advice -->
<!-- AdviceId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:Advice-1"> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:assignment1" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">assignment1</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicSingleValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">J. Hibbert</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">C. Everet Koop</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">Victor Frankenstein</AttributeAssignment> -->
<!-- <AttributeAssignment -->
<!-- AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IID302:dynamicMultiValue" -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string">John Jeckel</AttributeAssignment> -->
<!-- </Advice> -->
<!-- </AssociatedAdvice> -->
</Result>
</Response>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment