Commit 508e918b authored by cdanger's avatar cdanger
Browse files

- Fixed #62: Refactor BasePdpEngine - Move the standardEnvironmentAttribute*...

- Fixed #62: Refactor BasePdpEngine - Move the standardEnvironmentAttribute* code (providing current-time/dateTime/date attributes not present in the request) to dedicated AttributeProvider -> new PDP XSD and new built-in AttributeProvider: `StandardEnvironmentAttributeProvider` class
- authzforce-ce-parent upgraded to 8.1.0
- Authzfoce-ce-core-pdp-api upgraded to 19.0.0: applied API changes:
### Changed
- AttributeProvider interface removed, existing NamedAttributeProvider used instead
- `authzforce-ce-parent` version: 8.1.0
- Improved support of Multiple Decision Profile in the `PdpEngine` interface and the following types of PDP extensions:  Combining Algorithm, Function, Attribute Provider, Policy Provider. The corresponding interfaces (`CombiningAlg`...) have changed: certain of their methods - called during request evaluation - now take a new `Optional<EvaluationContext>` parameter which is used to pass the MDP evaluation context (MDP = Multiple Decision Profile) which is an evaluation context shared across all the Individual Decision Requests within the same Multiple Decision Request whenever MDP is used in the input request to the PDP. This enables all PDP extensions to be aware / provide better support of the Multiple Decision Profile. This may be used in particular by an Attribute Provider providing the standard current-time/current-date/current-dateTime attributes which should have the same values for all Individual Decision Requests corresponding to the same Multiple Decision Request.
- `DecisionRequest` and `EvaluationContext` interfaces changed:
  - New method `getCreationTimestamp()`: provides the date/time of the request/context creation. Used typically for the standard current-* attributes.
  - `putNamedAttributeValueIfAbsent(AttributeFqn, AttributeBag)` replaced with more generic `putNamedAttributeValue(AttributeFqn, AttributeBag, boolean override)`

### Added
- Attribute Provider (`NamedAttributeProvider`) interface: added 2 new methods for better support of the Multiple Decision Profile (all implemented by default to do nothing):

    - `beginMultipleDecisionRequest(EvaluationContext mdpContext)`: for special processing in the context of the MDP request (before corresponding Individual Decision requests are evaluated)
    - `supportsBeginMultipleDecisionRequest()`: indicates whether the Attribute Provider implements `beginMultipleDecisionRequest()` method and therefore needs the PDP engine to call it when a new MDP request is evaluated
    - `beginIndividualDecisionRequest(EvaluationContext individualDecisionContext, Optional<EvaluationContext> mdpContext)`: for special processing in the context of an Individual Decision request, before it is evaluated against policies (before the `get(attribute)` method is ever called for the individual decision request).
    - `supportsBeginIndividualDecisionRequest()`: indicates whether the Attribute Provider implements `beginIndividualDecisionRequest()` method and therefore needs the PDP engine to call it when a new individual decision request is evaluated.

- PdpBean#evaluate(...), PdpEngine#evaluate(...) and all *Evaluator#evaluate(...) method takes a new `Optional<EvaluationContext>` parameter to support the new MDP evaluation context when MDP (Multiple Decision profile) is used
- Moved the OSS PDP benchmark (authzforce, at&t xacml and wso2 balana) to a separate maven module
- Obsoleted .travis.yml replaced with GitHub Action
- Replaced ModularAttributeProvider with new CloseableNamedAttributeProviderRegistry, EvaluationContextBased*NamedAttributeProvider classes
- Updated all tests pdp.xml (PDP configs) to new XSD
- Added Migration (from 17.x to 18.x) instructions with new `migration` folder containing migration XSLT stylesheets and new XSLT for migrating PDP config to XSD v8: pdp-xsd-v7.xsl
- pdp-testutils module: upgraded jongo dependency to 1.5.0, mongo-java-driver to 3.12.10
- New StandardResourceAttribute/StandardSubjectAttribute enums for standard resource/suject attributes with standard-fixed datatype
- pdp-cli: Upgraded picocli to 4.6.2, testng to 7.5
parent 73af148c
language: java
jdk:
- openjdk11
after_success:
- bash <(curl -s https://codecov.io/bash)
......@@ -147,7 +147,7 @@ properties and environment variables (enclosed between '${...}') with default va
### Changed
- Maven dependency versions:
- `authzforce-ce-core-pdp-api`: 15.2.0 (change in `ExpressionFactory` interface: new method `getVariableExpression(variableId)`)
- Policy / `VariableDefinition` evaluation: a XACML Variable expressions is now evaluated and the Variable assigned in the EvaluationContext where the `VariableDefinition` is defined (as opposed to previous behavior which consisted in lazy evaluation, ie only when used in a corresponding `VariableReference`), making the Variable's value available not only to `VariableReference` but also PDP extensions such as Attribute Providers, even if no corresponding `VariableReference` occurs in the policy)
- Policy / `VariableDefinition` evaluation: a XACML Variable expressions is now evaluated and the Variable assigned in the EvaluationContext where the `VariableDefinition` is defined (as opposed to previous behavior which consisted in lazy evaluation, ie only when used in a corresponding `VariableReference`), making the Variable's value available not only to `VariableReference` but also PDP extensions such as Attribute Providers, even if no corresponding `VariableReference` occurs in the policy
- `Time-in-range` function optimized (removed useless code)
- `GenericAttributeProviderBasedAttributeDesignatorExpression` class moved to dependency authzforce-ce-core-pdp-api
......@@ -189,7 +189,7 @@ properties and environment variables (enclosed between '${...}') with default va
- Interface method AttributeProvider#get(...): replaced parameter type BagDatatype with Datatype to simplify AttributeProviders' code
### Added
- Base implementations of a few interfaces to help implementing unit tests for PDP extensions:
- Base implementations of a few interfaces to help implement unit tests for PDP extensions:
- BasePrimaryPolicyMetadata, implements PrimaryPolicyMetadata
- IndividualDecisionRequestContext, implements EvaluationContext
......@@ -307,7 +307,7 @@ XACML 3.0, and adapting to the PDP engine API; also provides automatic conversio
- License: GPL v3.0 replaced with Apache License v2.0
- Project URL: 'https://tuleap.ow2.org/projects/authzforce' replaced with 'https://authzforce.ow2.org'
- GIT repository URL base: 'https://tuleap.ow2.org/plugins/git/authzforce' replaced with 'https://gitlab.ow2.org/authzforce'
- Project converted to multi-module project with two new modules in order to have properly separated artifact with the test utility classes to be reused in other AuthzForce projects (e.g. `server/webapp` and PDP extensions), therefore two new Maven artifacts:
- Project converted to multimodule project with two new modules in order to have properly separated artifact with the test utility classes to be reused in other AuthzForce projects (e.g. `server/webapp` and PDP extensions), therefore two new Maven artifacts:
- `authzforce-ce-core-pdp-engine` replacing artifact `authzforce-ce-core` (no classifier);
- `authzforce-ce-core-pdp-testutils` replacing artifact `authzforce-ce-core` with `tests` classifier.
......@@ -367,7 +367,7 @@ XACML 3.0, and adapting to the PDP engine API; also provides automatic conversio
- Behavior of *unordered* rule combining algorithms (deny-overrides, permit-overrides, deny-unless-permit and permit-unless deny), i.e. for which the order of evaluation may be different from the order of declaration: child elements are re-ordered for more efficiency (e.g. Deny rules evaluated first in case of deny-overrides algorithm), therefore the algorithm implementation, the order of evaluation in particular, now differs from ordered-* variants.
### Removed
- Dependency on Koloboke, replaced by extension mechanism mentioned in *Added* section that would allow to switch from the default HashMap/HashSet implementation to Koloboke-based.
- Dependency on Koloboke, replaced by extension mechanism mentioned in *Added* section that would allow switching from the default HashMap/HashSet implementation to Koloboke-based.
### Fixed
- [JIRA-23] Enforcement of RuleId/PolicyId/PolicySetId uniqueness:
......@@ -384,7 +384,7 @@ XACML 3.0, and adapting to the PDP engine API; also provides automatic conversio
## 5.0.1
### Fixed
- [JIRA-22] When handling the same XACML Request twice in the same JVM with the root PolicySet using deny-unless-permit algorithm over a Policy returning simple Deny (no status/obligation/advice) and a Policy returning Permit/Deny with obligations/advice, the obligation is duplicated in the final result at the second time this situation occurs.
- XACML StatusCode XML serialization/marshalling error when Missing Attribute info that is no valid anyURI is returned by PDP in a Indeterminate Result
- XACML StatusCode XML serialization/marshalling error when Missing Attribute info that is no valid anyURI is returned by PDP in an Indeterminate Result
- Memory management issue: native RootPolicyProvider modules keeping a reference to static refPolicyProvider, even after policies have been resolved statically at initialization time, preventing garbage collection and memory saving.
- Calls to Logger impacted negatively by autoboxing
......@@ -394,7 +394,7 @@ XACML 3.0, and adapting to the PDP engine API; also provides automatic conversio
### Changed
- PDP XML configuration schema namespace: http://authzforce.github.io/core/xmlns/pdp/5.0 (previous namespace: http://authzforce.github.io/core/xmlns/pdp/3.6). See *Removed* section for non-backward-compatible changes to the schema.
- Parent project version: authzforce-ce-parent: 3.4.0
- Dependency version: authzforce-ce-core-pdp-api: 7.1.0: requires to pass new EnvironmentProperties parameter to AttributeProvider module factories for using global PDP environment properties (such as PDP configuration file's parent directory)
- Dependency version: authzforce-ce-core-pdp-api: 7.1.0: requires passing a new EnvironmentProperties parameter to AttributeProvider module factories for using global PDP environment properties (such as PDP configuration file's parent directory)
- Interpretation of XACML Request flag ReturnPolicyId=true, considering a policy "applicable" if and only if the decision is not NotApplicable and if it is not a root policy, the same goes for the enclosing policy. See also the discussion on the xacml-comment mailing list: https://lists.oasis-open.org/archives/xacml-comment/201605/msg00004.html
### Added
......@@ -405,7 +405,7 @@ XACML 3.0, and adapting to the PDP engine API; also provides automatic conversio
- enum StandardCombiningAlgoritm that enumerates all standard XACML combining algorithms
### Deprecated
- Ability to marshall internal classes derived from XACML/JAXB Expressions back to the original JAXB Expression: it may consume a significant amount of extra memory, esp. when a nested PolicySet has deep nested Policy(Set)s, and it forces our internal evaluation classes to duplicate information and override many methods. Also it ties the internal model to the JAXB model which is far from optimal for evaluation purposes. Now we consider no longer the responsibility of the PDP to be able to marshall such XACML instances, but the caller's; in particular the classes ApplyExpression, AttributeDesignatorExpression, AttributeSelectorExpression, AttributeAssigmnentExpressionEvaluator no longer extend JAXB classes.
- Ability to marshall internal classes derived from XACML/JAXB Expressions back to the original JAXB Expression: it may consume a significant amount of extra memory, esp. when a nested PolicySet has deep nested Policy(Set)s, and it forces our internal evaluation classes to duplicate information and override many methods. Also, it ties the internal model to the JAXB model which is far from optimal for evaluation purposes. Now we consider no longer the responsibility of the PDP to be able to marshall such XACML instances, but the caller's; in particular the classes ApplyExpression, AttributeDesignatorExpression, AttributeSelectorExpression, AttributeAssigmnentExpressionEvaluator no longer extend JAXB classes.
## 4.0.2
......@@ -455,7 +455,7 @@ XACML 3.0, and adapting to the PDP engine API; also provides automatic conversio
## 3.8.1
### Fixed
- Removed use of SAXON StandardURIChecker for validating anyURI XACML AttributeValues causing "possible memory leak" errors in Tomcat, as confirmed by: https://sourceforge.net/p/saxon/mailman/message/27043134 and https://sourceforge.net/p/saxon/mailman/saxon-help/thread/4F9E683E.8060001@saxonica.com/. Although XACML 3.0 still refers to XSD 1.0 which has a stricter definition of anyURI than XSD 1.1, the fix consisted to use XSD 1.1 anyURI definition for XACML anyURI AttributeValues. In this definition, anyURI and string datatypes have same value space (refer to XSD 1.1 Datatypes document or SAXON note http://www.saxonica.com/html/documentation9.4/changes/intro93/xsd11-93.html or mailing list: https://sourceforge.net/p/saxon/mailman/saxon-help/thread/4F9E683E.8060001@saxonica.com/) , therefore anyURI-specific validation is removed and anyURI values are accepted like string values by the program. However, this does not affect XML schema validation of Policy/PolicySet/Request documents against OASIS XACML 3.0 schema, where the XSD 1.0 definition of anyURI still applies.
- Removed use of SAXON StandardURIChecker for validating anyURI XACML AttributeValues causing "possible memory leak" errors in Tomcat, as confirmed by: https://sourceforge.net/p/saxon/mailman/message/27043134 and https://sourceforge.net/p/saxon/mailman/saxon-help/thread/4F9E683E.8060001@saxonica.com/. Although XACML 3.0 still refers to XSD 1.0 which has a stricter definition of anyURI than XSD 1.1, the fix consisted in using XSD 1.1 anyURI definition for XACML anyURI AttributeValues. In this definition, anyURI and string datatypes have same value space (refer to XSD 1.1 Datatypes document or SAXON note http://www.saxonica.com/html/documentation9.4/changes/intro93/xsd11-93.html or mailing list: https://sourceforge.net/p/saxon/mailman/saxon-help/thread/4F9E683E.8060001@saxonica.com/) , therefore anyURI-specific validation is removed and anyURI values are accepted like string values by the program. However, this does not affect XML schema validation of Policy/PolicySet/Request documents against OASIS XACML 3.0 schema, where the XSD 1.0 definition of anyURI still applies.
## 3.8.0
......@@ -505,7 +505,7 @@ XACML 3.0, and adapting to the PDP engine API; also provides automatic conversio
- Added support of xpath-node-count function (optional XACML feature)
- New modes of request parsing/filtering and attribute matching to enforce best practices and optimize Request processing:
1. *Strict Attribute Issuer match*: in this mode, an AttributeDesignator without Issuer only matches XACML Request Attributes without Issuer (faster if all Attributes have an Issuer which is recommended, but not fully XACML (§5.29) compliant)
2. *Allow Attribute duplicates*: allows defining multi-valued attributes by repeating the same XACML Attribute (same AttributeId) within a XACML Attributes element (same Category). Indeed, not allowing this enables the PDP to parse and evaluate Requests more efficiently, especially if you know the Requests to be well-formed, i.e. all AttributeValues of a given Attribute are grouped together in the same `<Attribute>` element. However, it may not be fully compliant with the XACML spec according to a [discussion](https://lists.oasis-open.org/archives/xacml-dev/201507/msg00001.html) on the xacml-dev mailing list, referring to the XACML 3.0 core spec, §7.3.3, that indicates that multiple occurrences of the same `<Attribute>` with same meta-data but different values should be considered equivalent to a single `<Attribute>` element with same meta-data and merged values (multi-valued Attribute). Moreover, the XACML 3.0 conformance test 'IIIA024' expects this behavior: the multiple subject-id Attributes are expected to result in a multi-value bag during evaluation of the `<AttributeDesignator>`.
2. *Allow Attribute duplicates*: allows defining multivalued attributes by repeating the same XACML Attribute (same AttributeId) within a XACML Attributes element (same Category). Indeed, not allowing this enables the PDP to parse and evaluate Requests more efficiently, especially if you know the Requests to be well-formed, i.e. all AttributeValues of a given Attribute are grouped together in the same `<Attribute>` element. However, it may not be fully compliant with the XACML spec according to a [discussion](https://lists.oasis-open.org/archives/xacml-dev/201507/msg00001.html) on the xacml-dev mailing list, referring to the XACML 3.0 core spec, §7.3.3, that indicates that multiple occurrences of the same `<Attribute>` with same meta-data but different values should be considered equivalent to a single `<Attribute>` element with same meta-data and merged values (multivalued Attribute). Moreover, the XACML 3.0 conformance test 'IIIA024' expects this behavior: the multiple subject-id Attributes are expected to result in a multi-value bag during evaluation of the `<AttributeDesignator>`.
- Features to prevent circular references in Policy(Set)IdReferences or VariableReference
- Features to limit depth of PolicySetIdReference or VariableReference chain (otherwise no theoretical limit)
......@@ -519,10 +519,10 @@ XACML 3.0, and adapting to the PDP engine API; also provides automatic conversio
### Fixed
- Issues reported by PMD and findbugs
- Fixed issues in [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, see [README](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct\README.md).
- In logical OR, AND and N-OF functions, an Indeterminate argument results in Indeterminate result.
- In logical `OR`, `AND` and `N-OF` functions, an Indeterminate argument results in Indeterminate result.
1. FIX for OR function: If at least one True argument, return True regardless of Indeterminate arguments; else (no True) if there is at least one Indeterminate, return Indeterminate, return Indeterminate; else (no True/Indeterminate -> all false) return false
1. FIX for AND function: If at least one False argument, return False regardless of Indeterminate arguments; else (no False) if there is at least one Indeterminate, return Indeterminate, return Indeterminate; else (no False/Indeterminate -> all true) return true
1. FIX for N-OF function: similar to OR but checking if there are at least N Trues instead of 1, in the remaining arguments; else there is/are n True(s) with `n < N`; if there are at least `(N-n)` Indeterminate, return Indeterminate; else return false.
1. FIX for N-OF function: similar to `OR` but checking if there are at least `N` Trues instead of 1, in the remaining arguments; else there is/are n True(s) with `n < N`; if there are at least `(N-n)` Indeterminate, return Indeterminate; else return false.
- Misleading IllegalArgumentException error for XML-schema-valid anyURI but not valid for `java.net.URI` class. Fixed by using `java.lang.String` instead and validating strings according to anyURI definition with Saxon library
- RuntimeException when no subject and no resource and no action attributes in the XACML request
......
......@@ -6,7 +6,7 @@ Follow these Java coding guidelines:
* [Oracle Secure Coding Guidelines for Java SE](http://www.oracle.com/technetwork/java/seccodeguide-139067.html).
### Testing
For every new major functionality, there must be unit tests added to some unit test class that is part of the automated test suite of [pdp-engine's MainTest.java](pdp-engine/src/test/java/org/ow2/authzforce/core/pdp/impl/test/MainTest.java). If the functionality has any impact on XACML - any Request/Response/Policy(Set) element - processing and/or change XACML standard conformance in anyway, make sure you add relevant integration and/or conformance tests to the test suite run by [pdp-testutils's MainTest.java](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/MainTest.java).
For every new major functionality, there must be unit tests added to some unit test class that is part of the automated test suite of [pdp-engine's MainTest.java](pdp-engine/src/test/java/org/ow2/authzforce/core/pdp/impl/test/MainTest.java). If the functionality has any impact on XACML - any Request/Response/Policy(Set) element - processing and/or change XACML standard conformance in any way, make sure you add relevant integration and/or conformance tests to the test suite run by [pdp-testutils's MainTest.java](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/MainTest.java).
You may run the tests as follows from your local copy of the repository:
<pre><code>
......@@ -26,12 +26,12 @@ Note that you must use Java 8 to run Maven when building the project.
1. No SNAPSHOT dependencies on "develop" and obviously "master" branches
### Releasing
1. From the develop branch, prepare a release (example using a HTTP proxy):
1. From the develop branch, prepare a release (example using an HTTP proxy):
<pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=80 jgitflow:release-start
</code></pre>
1. Update the CHANGELOG according to keepachangelog.com.
1. To perform the release (example using a HTTP proxy):
1. To perform the release (example using an HTTP proxy):
<pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=80 jgitflow:release-finish
</code></pre>
......
## Migration from v14.x to 15.x
## Migration from version 17.x to 18.x
- You have to upgrade your PDP configuration(s), e.g. `pdp.xml` files, using XSLT stylesheet [pdp-xsd-v7.xsl](migration/pdp-xsd-v7.xsl) and any XSLT engine supporting XSLT 2.0, e.g. [SAXON-HE 9.x or later](https://www.saxonica.com/download/java.xml), e.g. with this command:
```shell
$ PDP_XML_FILE="pdp-testutils/src/test/resources.json/other/CustomJsonObjectDatatype/pdp.xml"
$ mv $PDP_XML_FILE{,.old}
$ java -jar ~/.m2/repository/net/sf/saxon/Saxon-HE/10.3/Saxon-HE-10.3.jar -xsl:migration/pdp-xsd-v7.xsl -s:$PDP_XML_FILE.old -o:$PDP_XML_FILE
```
## Migration from version 16.x to 17.x
- If you are still using Java 8, you have to upgrade to Java 11 (Java 8 is no longer supported).
## Migration from version 15.x to 16.x
- If you have any custom PolicyProvider extension, you need to update the implementation of the method `CloseablePolicyProvider.Factory#getInstance(...)` to the new PDP API (`authzforce-ce-core-pdp-api`: 17.0.0).
## Migration from version 14.x to 15.x
- Modify the PDP configuration (XML): replace the XML namespace `http://authzforce.github.io/core/xmlns/pdp/7.0` with `http://authzforce.github.io/core/xmlns/pdp/7`.
## Migration from v13.x to v14.x
## Migration from version 13.x to 14.x
- Make sure all your custom PolicyProviders implement the new PolicyProvider interfaces, i.e. BaseStaticPolicyProvider or, as fallback option, CloseableStaticPolicyProvider
- Modify the PDP configuration (XML):
- Merge 'rootPolicyProvider' and 'refPolicyprovider' into one 'policyProvider' using the new 'StaticPolicyProvider' type if you were using 'StaticRefPolicyprovider' or 'StaticRootPolicyProvider', else your new custom PolicyProvider types if you were using custom ones.
......
......@@ -12,7 +12,7 @@ AuthzForce Core may be used in the following ways:
- Java API: you may use AuthzForce Core from your Java code to instantiate an embedded Java PDP.
- CLI (Command-Line Interface): you may call AuthzForce Core PDP engine from the command-line (e.g. in a script) by running the provided executable.
***HTTP/REST server**: if you are interested in using a HTTP/REST API compliant with [REST Profile of XACML 3.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html), check the [AuthzForce RESTful PDP project](http://github.com/authzforce/restful-pdp) and [AuthzForce server project](http://github.com/authzforce/server).*
***HTTP/REST server**: if you are interested in using an HTTP/REST API compliant with [REST Profile of XACML 3.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html), check the [AuthzForce RESTful PDP project](http://github.com/authzforce/restful-pdp) and [AuthzForce server project](http://github.com/authzforce/server).*
## Features
* Compliance with the following OASIS XACML 3.0 standards:
......@@ -27,7 +27,7 @@ AuthzForce Core may be used in the following ways:
* [XACML v3.0 - Additional Combining Algorithms Profile Version 1.0](http://docs.oasis-open.org/xacml/xacml-3.0-combalgs/v1.0/xacml-3.0-combalgs-v1.0.html): `on-permit-apply-second` policy combining algorithm;
* [XACML v3.0 - Multiple Decision Profile Version 1.0 - Requests for a combined decision](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-cd-03-en.html#_Toc260837890) (`urn:oasis:names:tc:xacml:3.0:profile:multiple:combined-decision`).
*For further details on what is actually supported with regards to the XACML specifications, please refer to the conformance tests [README](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/README.md).*
*For further details on what is actually supported regarding the XACML specifications, please refer to the conformance tests [README](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/README.md).*
* [GeoXACML](http://portal.opengeospatial.org/files/?artifact_id=42734) (Open Geospatial Consortium) support: see [this AuthzForce extension from SecureDimensions](https://github.com/securedimensions/authzforce-geoxacml-basic).
* Interfaces:
* Java API: basically a library for instantiating and using a PDP engine from your Java (or any Java-compatible) code;
......@@ -43,7 +43,7 @@ AuthzForce Core may be used in the following ways:
* Optional **strict multivalued attribute parsing**: if enabled, multivalued attributes must be formed by grouping all `AttributeValue` elements in the same Attribute element (instead of duplicate Attribute elements); this does not fully comply with [XACML 3.0 Core specification of Multivalued attributes (§7.3.3)](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047176), but it usually performs better than the default mode since it simplifies the parsing of attribute values in the request.
* Optional **strict attribute Issuer matching**: if enabled, `AttributeDesignators` without Issuer only match request Attributes without Issuer (and same AttributeId, Category...); this option is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present on a AttributeDesignator; but it is the recommended option for better performance when all AttributeDesignators have an Issuer (the XACML 3.0 specification (5.29) says: *If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone.*);
* **Optimal integer data-type** implementation: the `maxIntegerValue` configuration parameter (expected maximum absolute value in XACML attributes of type `http://www.w3.org/2001/XMLSchema#integer`) helps the PDP choose the most efficient Java data-type. By default, the XACML/XML type `http://www.w3.org/2001/XMLSchema#integer` is mapped to the larger Java data-type: `BigInteger`. However, this may be overkill for example in the case of integer attributes representing the age of a person; in this case, the `Short` type is more appropriate and especially more efficient. Therefore, decreasing the `maxIntegerValue` value as much as possible, based on the range you expect your integer values to fit in, makes the PDP engine more efficient on integer handling: lower memory consumption, faster computations.
* **Pluggable Decision Cache**: you can plug-in your own XACML Decision Cache mechanism to speed up evaluation of (repetitive) requests. See down below for more info (Decision Cache extension).
* **Pluggable Decision Cache**: you can plug in your own XACML Decision Cache mechanism to speed up evaluation of (repetitive) requests. See down below for more info (Decision Cache extension).
* Extensibility points:
* **[Attribute Datatypes](https://github.com/authzforce/core/wiki/XACML-Data-Types)**: you may extend the PDP engine with custom XACML attribute datatypes;
* **[Functions](https://github.com/authzforce/core/wiki/XACML-Functions)**: you may extend the PDP engine with custom XACML functions;
......@@ -101,7 +101,7 @@ $ ./authzforce-ce-core-pdp-cli-14.0.0.jar -t XACML_JSON pdp.xml IIA001/Request.j
```
* `Request.json`: XACML request in XACML 3.0/JSON (Profile) format. **Feel free to replace with your own for testing.**
For more info, run it without parameters and you'll get detailed information on usage.
For more info, run it without parameters, and you'll get detailed information on usage.
#### Java API
You can either build AuthzForce PDP library from the source code after cloning this git repository, or use the latest release from Maven Central with this information:
......@@ -109,7 +109,7 @@ You can either build AuthzForce PDP library from the source code after cloning t
* artifactId: `authzforce-ce-core-pdp-engine`;
* packaging: `jar`.
Since this is a Maven artifact and it requires dependencies, you should build your application with a build tool that understands Maven dependencies (e.g. Maven or Gradle), and configure this artifact as a Maven dependency, for instance with Maven in the `pom.xml`:
Since this is a Maven artifact, and it requires dependencies, you should build your application with a build tool that understands Maven dependencies (e.g. Maven or Gradle), and configure this artifact as a Maven dependency, for instance with Maven in the `pom.xml`:
```xml
...
......@@ -122,7 +122,7 @@ Since this is a Maven artifact and it requires dependencies, you should build yo
```
To get started using a PDP to evaluate XACML requests, the first step is to write/get a XACML 3.0 policy. Please refer to [XACML v3.0 - Core standard](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html) for the syntax. For a basic example, see [this one](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/mandatory/IIA001/IIA001Policy.xml).
To get started using a PDP to evaluate XACML requests, the first step is to write/get a XACML 3.0 policy. Please refer to [XACML v3.0 - Core standard](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html) for the syntax. For a basic example, see [this one](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/mandatory/IIA001/Policy.xml).
Then instantiate a PDP engine configuration with method [PdpEngineConfiguration#getInstance(String)](pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpEngineConfiguration.java#L663). The required parameter *confLocation* must be the location of the PDP configuration file. For more information about PDP configuration parameters, the configuration format is fully specified and documented in the [XML schema `pdp.xsd`](pdp-engine/src/main/resources/pdp.xsd), also available in a [more user-friendly HTML form](https://authzforce.github.io/pdp.xsd/7.1) (start with the `pdp` element as the root element in a PDP configuration). Here is a minimal example of configuration:
......@@ -146,7 +146,7 @@ Then the next step depends on the kind of decision request you want to evaluate.
##### Evaluating Requests in AuthzForce native API (most efficient)
If you are creating decision requests internally, i.e. directly from your Java code (not from any data serialization format), you'd better use AuthzForce native interface.
You can pass the `PdpEngineConfiguration` to `BasePdpEngine(PdpEngineConfiguration)` constructor in order to instantiate a PDP engine. With this, you can evaluate a decision request (more precisely an equivalent of a Individual Decision Request as defined by the XACML Multiple Decision Profile) in AuthzForce's native model by calling `evaluate(DecisionRequest)` or (multiple decision requests with `evaluate(List)`). In order to build a `DecisionRequest`, you may use the request builder returned by `BasePdpEngine#newRequestBuilder(...)`.
You can pass the `PdpEngineConfiguration` to `BasePdpEngine(PdpEngineConfiguration)` constructor in order to instantiate a PDP engine. With this, you can evaluate a decision request (more precisely an equivalent of an Individual Decision Request as defined by the XACML Multiple Decision Profile) in AuthzForce's native model by calling `evaluate(DecisionRequest)` or (multiple decision requests with `evaluate(List)`). In order to build a `DecisionRequest`, you may use the request builder returned by `BasePdpEngine#newRequestBuilder(...)`.
Basic example of Java code (based on previous line of code):
......@@ -206,7 +206,7 @@ See [EmbeddedPdpBasedAuthzInterceptor#createRequest(...) method](pdp-testutils/s
You can pass the `PdpEngineConfiguration` to `PdpEngineAdapters#newXacmlJaxbInoutAdapter(PdpEngineConfiguration)` utility method to instantiate a PDP supporting XACML 3.0/XML (core specification) format. You can evaluate such XACML Request by calling the `evaluate(...)` methods.
##### Evaluating Requests in XACML/JSON format
To instantiate a PDP supporting XACML 3.0/JSON (JSON Profile) format, you may reuse the test code from [PdpEngineXacmlJsonAdapters](pdp-io-xacml-json/src/test/java/org/ow2/authzforce/core/pdp/io/xacml/json/test/PdpEngineXacmlJsonAdapters.java).
To instantiate a PDP supporting XACML 3.0/JSON (JSON Profile) format, you may reuse the test code from [PdpEngineXacmlJsonAdapters](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/json/PdpEngineXacmlJsonAdapters.java).
You will need an extra dependency as well, available from Maven Central:
* groupId: `org.ow2.authzforce`;
* artifactId: `authzforce-ce-core-pdp-io-xacml-json`;
......@@ -216,11 +216,11 @@ You will need an extra dependency as well, available from Maven Central:
You can support other non-XACML formats of access requests (resp. responses), including your own, by implementing your own [Request Preprocessor](https://github.com/authzforce/core/wiki/XACML-Request-Preprocessors) (resp. [Result Postprocessor](https://github.com/authzforce/core/wiki/XACML-Result-Postprocessors) ).
##### Logging
Our PDP implementation uses SLF4J for logging so you can use any SLF4J implementation to manage logging. The CLI executable includes logback implementation, so you can use logback configuration file, e.g. [logback.xml](pdp-testutils/src/test/resources/logback.xml), for configuring loggers, appenders, etc.
Our PDP implementation uses SLF4J for logging, so you can use any SLF4J implementation to manage logging. The CLI executable includes logback implementation, so you can use logback configuration file, e.g. [logback.xml](pdp-testutils/src/test/resources/logback.xml), for configuring loggers, appenders, etc.
### Example of usage in a web service PEP
For an example of using an AuthzForce PDP engine in a real-life use case, please refer to the JUnit test class [EmbeddedPdpBasedAuthzInterceptorTest](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/pep/cxf/EmbeddedPdpBasedAuthzInterceptorTest.java) and the Apache CXF authorization interceptor [EmbeddedPdpBasedAuthzInterceptor](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/pep/cxf/EmbeddedPdpBasedAuthzInterceptor.java). The test class runs a test similar to @coheigea's [XACML 3.0 Authorization Interceptor test](https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-sts-xacml/src/test/java/org/apache/coheigea/cxf/sts/xacml/authorization/xacml3/XACML3AuthorizationTest.java) but using AuthzForce as PDP engine instead of OpenAZ. In this test, a web service client requests a Apache-CXF-based web service with a SAML token as credentials (previously issued by a Security Token Service upon successful client authentication) that contains the user ID and roles. Each request is intercepted on the web service side by a [EmbeddedPdpBasedAuthzInterceptor](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/pep/cxf/EmbeddedPdpBasedAuthzInterceptor.java) that plays the role of PEP (Policy Enforcement Point in XACML jargon), i.e. it extracts the various authorization attributes (user ID and roles, web service name, operation...) and requests a decision from a local PDP with these attributes, then enforces the PDP's decision, i.e. forwards the request to the web service implementation if the decision is Permit, else rejects it.
For an example of using an AuthzForce PDP engine in a real-life use case, please refer to the JUnit test class [EmbeddedPdpBasedAuthzInterceptorTest](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/pep/cxf/EmbeddedPdpBasedAuthzInterceptorTest.java) and the Apache CXF authorization interceptor [EmbeddedPdpBasedAuthzInterceptor](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/pep/cxf/EmbeddedPdpBasedAuthzInterceptor.java). The test class runs a test similar to @coheigea's [XACML 3.0 Authorization Interceptor test](https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-sts-xacml/src/test/java/org/apache/coheigea/cxf/sts/xacml/authorization/xacml3/XACML3AuthorizationTest.java) but using AuthzForce as PDP engine instead of OpenAZ. In this test, a web service client requests an Apache-CXF-based web service with a SAML token as credentials (previously issued by a Security Token Service upon successful client authentication) that contains the user ID and roles. Each request is intercepted on the web service side by a [EmbeddedPdpBasedAuthzInterceptor](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/pep/cxf/EmbeddedPdpBasedAuthzInterceptor.java) that plays the role of PEP (Policy Enforcement Point in XACML jargon), i.e. it extracts the various authorization attributes (user ID and roles, web service name, operation...) and requests a decision from a local PDP with these attributes, then enforces the PDP's decision, i.e. forwards the request to the web service implementation if the decision is Permit, else rejects it.
For more information, see the Javadoc of [EmbeddedPdpBasedAuthzInterceptorTest](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/pep/cxf/EmbeddedPdpBasedAuthzInterceptorTest.java).
## Extensions
......@@ -240,7 +240,7 @@ If you are using the Java API with extensions configured by XML (Policy Provider
You should use [AuthzForce users' mailing list](https://mail.ow2.org/wws/info/authzforce-users) as first contact for any communication about AuthzForce: question, feature request, notification, potential issue (unconfirmed), etc.
If you are experiencing any bug with this project and you indeed confirm this is not an issue with your environment (contact the users mailing list first if you are unsure), please report it on the [OW2 Issue Tracker](https://gitlab.ow2.org/authzforce/core/issues).
If you are experiencing any bug with this project, and you indeed confirm this is not an issue with your environment (contact the users mailing list first if you are unsure), please report it on the [OW2 Issue Tracker](https://gitlab.ow2.org/authzforce/core/issues).
Please include as much information as possible; the more we know, the better the chance of a quicker resolution:
* Software version
......
......@@ -4,10 +4,11 @@
Versions currently being supported with security updates.
| Version | Supported |
| ------- | ------------------ |
| 15.2.0 | :white_check_mark: |
| 15.1.0 | :x: |
| Version | Supported |
|------------------|--------------------|
| 18.0.0 | :white_check_mark: |
| 17.1.2 | :white_check_mark: |
| 17.1.1 and lower | :x: |
## Reporting a Vulnerability
......
<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright (C) 2012-2016 Thales Services SAS. This file is part of AuthzForce CE. AuthzForce CE is free software: you can redistribute it and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. AuthzForce CE is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General
Public License along with AuthzForce CE. If not, see <http://www.gnu.org/licenses/>. -->
<!-- PDP configuration upgrade XSL Sheet: parent folder name indicates the version from which you can upgrade to the current one. -->
<!-- To be used with Saxon XSLT processor. -->
<!-- Author: Cyril DANGERVILLE. -->
<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:old="http://authzforce.github.io/core/xmlns/pdp/7"
xmlns="http://authzforce.github.io/core/xmlns/pdp/8" exclude-result-prefixes="old">
<xsl:output encoding="UTF-8" indent="yes" method="xml"/>
<!-- Change root element... -->
<xsl:template match="/old:pdp">
<xsl:element name="{local-name(.)}">
<xsl:copy-of select="namespace::*[. != 'http://authzforce.github.io/core/xmlns/pdp/7']"/>
<!-- Update attributes -->
<!-- Copy unmodified attributes -->
<xsl:apply-templates
select="@*[name()!='version' and name()!='useStandardDatatypes' and name()!='useStandardFunctions' and name()!='useStandardCombiningAlgorithms' and name()!= 'standardEnvAttributeSource' and name()!='enableXPath']"/>
<!-- Schema version -->
<xsl:attribute name="version">8.0</xsl:attribute>
<!-- Replace pdp/@useStandardDatatypes with pdp/@standardDatatypesEnabled -->
<xsl:if test="@useStandardDatatypes">
<xsl:attribute name="standardDatatypesEnabled">
<xsl:value-of select="@useStandardDatatypes"/>
</xsl:attribute>
</xsl:if>
<!-- Replace pdp/@useStandardFunctions with pdp/@standardFunctionsEnabled -->
<xsl:if test="@useStandardFunctions">
<xsl:attribute name="standardFunctionsEnabled">
<xsl:value-of select="@useStandardFunctions"/>
</xsl:attribute>
</xsl:if>
<!-- Replace pdp/@useStandardCombiningAlgorithms with pdp/@standardCombiningAlgorithmsEnabled -->
<xsl:if test="@useStandardCombiningAlgorithms">
<xsl:attribute name="standardCombiningAlgorithmsEnabled">
<xsl:value-of select="@useStandardCombiningAlgorithms"/>
</xsl:attribute>
</xsl:if>
<!-- Replace pdp/@useStandardCombiningAlgorithms with pdp/@standardCombiningAlgorithmsEnabled -->
<xsl:if test="@enableXPath">
<xsl:attribute name="xPathEnabled">
<xsl:value-of select="@enableXPath"/>
</xsl:attribute>
</xsl:if>
<!-- Replace pdp/@standardEnvAttributeSource="REQUEST_ELSE_PDP" (resp. REQUEST_ONLY) with pdp/@standardAttributeProvidersEnabled="true" (resp. "false") -->
<xsl:choose>
<xsl:when test="@standardEnvAttributeSource = 'REQUEST_ELSE_PDP'">
<xsl:attribute name="standardAttributeProvidersEnabled">true</xsl:attribute>
<xsl:apply-templates
select="node()"/>
</xsl:when>
<xsl:when test="@standardEnvAttributeSource = 'REQUEST_ONLY'">
<xsl:attribute name="standardAttributeProvidersEnabled">false</xsl:attribute>
<xsl:apply-templates
select="node()"/>
</xsl:when>
<!-- Replace pdp/@standardEnvAttributeSource="PDP_ONLY" with pdp/@standardAttributeProvidersEnabled="false" AND <attributeProvider xsi:type="StdEnvAttributeProviderDescriptor"><override>true</override></attributeProvider> -->
<xsl:when test="@standardEnvAttributeSource = 'PDP_ONLY'">
<xsl:attribute name="standardAttributeProvidersEnabled">false</xsl:attribute>
<!-- Copy unmodified elements before attributeProviders -->
<xsl:apply-templates
select="old:attributeDatatype | old:function | old:combiningAlgorithm"/>
<attributeProvider id="_urn_ow2_authzforce_feature_pdp_attribute-provider_std-env" xsi:type="StdEnvAttributeProviderDescriptor">
<override>true</override>
</attributeProvider>
<xsl:apply-templates
select="old:policyProvider | old:rootPolicyRef | old:decisionCache | old:ioProcChain"/>
</xsl:when>
<xsl:otherwise>
<!-- Copy unmodified elements -->
<xsl:apply-templates
select="node()"/>
</xsl:otherwise>
</xsl:choose>
</xsl:element>
</xsl:template>
<!-- Change old PDP config namespace to new one on elements by default -->
<xsl:template match="old:*">
<xsl:element name="{local-name(.)}">
<xsl:apply-templates select="node()|attribute()|text()|comment()" />
</xsl:element>
</xsl:template>
<!-- Default rule: copy as is -->
<xsl:template match="node()|attribute()|text()|comment()|processing-instruction()">
<xsl:copy>
<xsl:apply-templates select="node()|attribute()|text()|comment()" />
</xsl:copy>
</xsl:template>
</xsl:stylesheet>
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (C) 2012-2016 Thales Services SAS.
This file is part of AuthzForce CE.
AuthzForce CE is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
AuthzForce CE is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with AuthzForce CE. If not, see <http://www.gnu.org/licenses/>.
-->
<!-- XACML 2.0-to-3.0 Policy Conversion XSL Sheet. Author: Cyril DANGERVILLE -->
<!-- For replacing deprecated identifiers (XACML 3.0 Core Specification, §A.4) with new ones, see file 'xacml3-policy-upgrade.xsl'. -->
<!-- WARNING: This XSLT does not convert XACML 2.0 AttributeSelectors to their strict equivalent in XACML 3.0: 1) it converts XACML 2.0 RequestContextPath to XACML 3.0 Path, although they have different
meaning as they do not apply to the same XML node, so please be aware. 2) It cannot determine the required Category in XACML 3.0 from XACML 2.0 input in some cases, so it has to use some default value
that you can set with XSLT parameter 'AttributeSelector.SubjectCategory.default' for AttrbuteSelectors coming from SubjectMatches, and 'AttributeSelector.Category.default' for the ones coming from Conditions. -->
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xacml2="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xsl:output encoding="UTF-8" indent="yes" method="xml"/>
<!-- This element removes indentation with Xalan 2.7.1 (indentation preserved with Saxon 9.6.0.4). -->
<!-- <xsl:strip-space elements="*" /> -->
<!-- Parameters -->
<!-- Default value of <AttributeSelector>'s Category to be used in XACML 3.0 output when converting from <AttributeSelector> in XACML 2.0 <SubjectMatch>. Author's note: there does not seem to be any automatic
way to guess this. -->
<xsl:param name="AttributeSelector.SubjectCategory.default">urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</xsl:param>
<!-- Default value of <AttributeSelector>'s Category to be used in XACML 3.0 output when converting from <AttributeSelector> in XACML 2.0 <Condition>. Author's note: there does not seem to be any automatic
way to guess this. -->
<xsl:param name="AttributeSelector.Category.default">urn:oasis:names:tc:xacml:3.0:attribute-category:resource</xsl:param>
<xsl:template match="xacml2:Subjects | xacml2:Actions | xacml2:Resources | xacml2:Environments">
<xsl:element name="xacml3:AnyOf">
<xsl:apply-templates select="@* | child::node()"/>
</xsl:element>
</xsl:template>
<xsl:template match="xacml2:Subject | xacml2:Action | xacml2:Resource | xacml2:Environment">
<xsl:element name="xacml3:AllOf">
<xsl:apply-templates select="@* | child::node()"/>
</xsl:element>
</xsl:template>
<xsl:template match="xacml2:SubjectMatch | xacml2:ActionMatch | xacml2:ResourceMatch | xacml2:EnvironmentMatch">
<xsl:element name="xacml3:Match">
<xsl:apply-templates select="@* | child::node()"/>
</xsl:element>
</xsl:template>
<xsl:template match="xacml2:SubjectAttributeDesignator | xacml2:ActionAttributeDesignator | xacml2:ResourceAttributeDesignator | xacml2:EnvironmentAttributeDesignator">
<xsl:element name="xacml3:AttributeDesignator">
<xsl:attribute name="Category">
<xsl:choose>
<xsl:when test="local-name() = 'SubjectAttributeDesignator'">
<xsl:choose>
<xsl:when test="@SubjectCategory"><xsl:value-of select="@SubjectCategory"/></xsl:when>
<xsl:otherwise>urn:oasis:names:tc:xacml:1.0:subject-category:access-subject</xsl:otherwise>
</xsl:choose>
</xsl:when>
<xsl:when test="local-name() = 'ActionAttributeDesignator'">urn:oasis:names:tc:xacml:3.0:attribute-category:action</xsl:when>
<xsl:when test="local-name() = 'ResourceAttributeDesignator'">urn:oasis:names:tc:xacml:3.0:attribute-category:resource</xsl:when>
<xsl:when test="local-name() = 'EnvironmentAttributeDesignator'">urn:oasis:names:tc:xacml:3.0:attribute-category:environment</xsl:when>
</xsl:choose>
</xsl:attribute>
<xsl:if test="not(@MustBePresent)">
<xsl:attribute name="MustBePresent">false</xsl:attribute>
</xsl:if>
<xsl:apply-templates select="@*[not(local-name() = 'SubjectCategory')] | child::node()"/>
</xsl:element>
</xsl:template>
<xsl:template match="xacml2:AttributeSelector">
<xsl:element name="xacml3:{local-name()}">
<xsl:attribute name="Category">
<xsl:choose>
<xsl:when test="local-name(parent::*) = 'SubjectMatch'"><xsl:value-of select="$AttributeSelector.SubjectCategory.default"/></xsl:when>
<xsl:when test="local-name(parent::*) = 'ActionMatch'">urn:oasis:names:tc:xacml:3.0:attribute-category:action</xsl:when>
<xsl:when test="local-name(parent::*) = 'ResourceMatch'">urn:oasis:names:tc:xacml:3.0:attribute-category:resource</xsl:when>
<xsl:when test="local-name(parent::*) = 'EnvironmentMatch'">urn:oasis:names:tc:xacml:3.0:attribute-category:environment</xsl:when>
<xsl:otherwise><xsl:value-of select="$AttributeSelector.Category.default"/></xsl:otherwise>
</xsl:choose>
</xsl:attribute>
<xsl:attribute name="Path"><xsl:value-of select="@RequestContextPath"/></xsl:attribute>
<xsl:if test="not(@MustBePresent)">
<xsl:attribute name="MustBePresent">false</xsl:attribute>
</xsl:if>
<xsl:apply-templates select="@*[not(local-name() = 'RequestContextPath')] | child::node()"/>
</xsl:element>
</xsl:template>
<xsl:template match="xacml2:Obligations">
<xsl:element name="xacml3:ObligationExpressions">
<xsl:apply-templates select="@* | child::node()"/>
</xsl:element>
</xsl:template>
<xsl:template match="xacml2:Obligation">
<xsl:element name="xacml3:ObligationExpression">
<xsl:apply-templates select="@* | child::node()"/>
</xsl:element>
</xsl:template>
<xsl:template match="xacml2:AttributeAssignment">
<xsl:element name="xacml3:AttributeAssignmentExpression">
<xsl:apply-templates select="@AttributeId"/>
<xsl:element name="xacml3:AttributeValue">
<xsl:apply-templates select="@*[not(local-name() = 'AttributeId')] | child::node()"/>
</xsl:element>
</xsl:element>
</xsl:template>
<xsl:template match="xacml2:PolicySet | xacml2:Policy">
<xsl:element name="xacml3:{local-name()}">
<xsl:if test="not(@Version)">
<xsl:attribute name="Version">1.0</xsl:attribute>
</xsl:if>
<xsl:apply-templates select="@* | child::node()"/>
</xsl:element>
</xsl:template>
<xsl:template match="child::*">
<xsl:element name="xacml3:{local-name()}">
<xsl:apply-templates select="@* | child::node()"/>
</xsl:element>
</xsl:template>
<xsl:template match="@* | comment()">
<xsl:copy/>
</xsl:template>
</xsl:stylesheet>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (C) 2012-2016 Thales Services SAS.
This file is part of AuthzForce CE.
AuthzForce CE is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
AuthzForce CE is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with AuthzForce CE. If not, see <http://www.gnu.org/licenses/>.
-->
<!-- XACML 3.0 policy canonicalization, basically replacing deprecated identifiers (XACML 3.0 Core Specification, §A.4) with new ones. Author: Cyril DANGERVILLE. -->
<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xsl:output encoding="UTF-8" indent="yes" method="xml" />
<!-- This element removes indentation with Xalan 2.7.1 (indentation preserved with Saxon 9.6.0.4). -->
<!-- <xsl:strip-space elements="*" /> -->
<xsl:template name="canonicalize-policy" match="child::*">
<xsl:copy>
<xsl:apply-templates select="@* | child::node()" />
</xsl:copy>
</xsl:template>
<xsl:template match="@MatchId|@FunctionId">
<xsl:attribute name="{local-name()}">
<xsl:choose>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:function:xpath-node-count'">urn:oasis:names:tc:xacml:3.0:function:xpath-node-count</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:function:xpath-node-equal'">urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:function:xpath-node-match'">urn:oasis:names:tc:xacml:3.0:function:xpath-node-match</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:function:dayTimeDuration-equal'">urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:function:yearMonthDuration-equal'">urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:function:dateTime-add-dayTimeDuration'">urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:function:dateTime-add-yearMonthDuration'">urn:oasis:names:tc:xacml:3.0:function:dateTime-add-yearMonthDuration</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-dayTimeDuration'">urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-dayTimeDuration</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:function:dateTime-subtract-yearMonthDuration'">urn:oasis:names:tc:xacml:3.0:function:dateTime-subtract-yearMonthDuration</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:function:date-add-yearMonthDuration'">urn:oasis:names:tc:xacml:3.0:function:date-add-yearMonthDuration</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:function:date-subtract-yearMonthDuration'">urn:oasis:names:tc:xacml:3.0:function:date-subtract-yearMonthDuration</xsl:when>
<xsl:otherwise><xsl:value-of select="." /></xsl:otherwise>
</xsl:choose>
</xsl:attribute>
</xsl:template>
<xsl:template match="@DataType">
<xsl:attribute name="{local-name()}">
<xsl:choose>
<xsl:when test=". = 'http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration'">http://www.w3.org/2001/XMLSchema#dayTimeDuration</xsl:when>
<xsl:when test=". = 'http://www.w3.org/TR/2002/WD-xquery-operators-20020816#yearMonthDuration'">http://www.w3.org/2001/XMLSchema#yearMonthDuration</xsl:when>
<xsl:otherwise><xsl:value-of select="." /></xsl:otherwise>
</xsl:choose>
</xsl:attribute>
</xsl:template>
<xsl:template match="@RuleCombiningAlgId">
<xsl:attribute name="{local-name()}">
<xsl:choose>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides'">urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides'">urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-deny-overrides'">urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides'">urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides</xsl:when>
<xsl:otherwise><xsl:value-of select="." /></xsl:otherwise>
</xsl:choose>
</xsl:attribute>
</xsl:template>
<xsl:template match="@PolicyCombiningAlgId">
<xsl:attribute name="{local-name()}">
<xsl:choose>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides'">urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides'">urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-deny-overrides'">urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides'">urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides</xsl:when>
<xsl:otherwise><xsl:value-of select="." /></xsl:otherwise>
</xsl:choose>
</xsl:attribute>
</xsl:template>
<xsl:template match="@AttributeId|@ContextSelectorId">
<xsl:attribute name="{local-name()}">
<xsl:choose>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address'">urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address</xsl:when>
<xsl:when test=". = 'urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name'">urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name</xsl:when>
<xsl:otherwise><xsl:value-of select="." /></xsl:otherwise>
</xsl:choose>
</xsl:attribute>
</xsl:template>
<xsl:template match="@* | comment()">
<xsl:copy />
</xsl:template>
</xsl:stylesheet>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
</suppressions>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>17.1.3-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-benchmark</artifactId>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthzForce - Core PDP Benchmark against AT&amp;T XACML and WSO2 Balana</description>
<url>${project.url}</url>
<scm>
<!-- Used by Jenkins - Maven release plugin -->
<connection>scm:git:${git.url.base}/core.git/pdp-benchmark</connection>
<developerConnection>scm:git:${git.url.base}/core.git/pdp-benchmark</developerConnection>
<tag>HEAD</tag>
<!-- Publicly browsable repository URL. For example, via Gitlab web UI. -->
<url>${git.url.base}/core/pdp-benchmark</url>
</scm>
<!-- distributionManagement defined in parent POM already -->