Commit 5f30f523 authored by cdanger's avatar cdanger

Policy(Set)Id/ruleId uniqueness enforcement

parent 8c4c1028
......@@ -43,7 +43,7 @@
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core-pdp-api</artifactId>
<version>7.1.1</version>
<version>7.1.2-SNAPSHOT</version>
</dependency>
<!-- /Authzforce dependencies -->
......
......@@ -22,6 +22,8 @@ import java.util.List;
import javax.xml.bind.JAXBElement;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import org.ow2.authzforce.core.pdp.api.Decidable;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
......@@ -31,35 +33,28 @@ import org.ow2.authzforce.core.pdp.api.UpdatableList;
import org.ow2.authzforce.core.pdp.api.UpdatablePepActions;
import org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
abstract class DPOverridesAlgEvaluator extends BaseCombiningAlg.Evaluator<Decidable>
{
DPOverridesAlgEvaluator(final List<? extends Decidable> combinedElements)
DPOverridesAlgEvaluator(final Iterable<? extends Decidable> combinedElements)
{
super(combinedElements);
}
@Override
public final ExtendedDecision evaluate(final EvaluationContext context, final UpdatablePepActions outPepActions,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList)
public final ExtendedDecision evaluate(final EvaluationContext context, final UpdatablePepActions outPepActions, final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList)
{
assert outPepActions != null;
final DPOverridesAlgResultCombiner resultHelper = new DPOverridesAlgResultCombiner(
outApplicablePolicyIdList != null);
final DPOverridesAlgResultCombiner resultHelper = new DPOverridesAlgResultCombiner(outApplicablePolicyIdList != null);
for (final Decidable combinedElement : getCombinedElements())
{
// evaluate the policy
final DecisionResult result = combinedElement.evaluate(context);
/*
* XACML §7.18: Obligations & Advice: do not return obligations/Advice of the rule, policy, or policy
* set that does not match the decision resulting from evaluating the enclosing policy set. For example,
* if the final decision is Permit, we should add to outPepActions only the PEP actions from Permit
* decisions (permitPepActions)
* XACML §7.18: Obligations & Advice: do not return obligations/Advice of the rule, policy, or policy set that does not match the decision resulting from evaluating the enclosing policy
* set. For example, if the final decision is Permit, we should add to outPepActions only the PEP actions from Permit decisions (permitPepActions)
*/
final ExtendedDecision finalResult = getOverridingDPResult(result, outPepActions,
outApplicablePolicyIdList, resultHelper);
final ExtendedDecision finalResult = getOverridingDPResult(result, outPepActions, outApplicablePolicyIdList, resultHelper);
if (finalResult != null)
{
return finalResult;
......@@ -67,8 +62,7 @@ abstract class DPOverridesAlgEvaluator extends BaseCombiningAlg.Evaluator<Decida
}
/*
* There was no overriding Deny/Permit decision, i.e. Deny (resp. Permit) in case of deny-overrides (resp.
* permit-overrides) alg, else: if any Indeterminate{DP}, then Indeterminate{DP}
* There was no overriding Deny/Permit decision, i.e. Deny (resp. Permit) in case of deny-overrides (resp. permit-overrides) alg, else: if any Indeterminate{DP}, then Indeterminate{DP}
*/
final ExtendedDecision firstIndeterminateDP = resultHelper.getFirstIndeterminateDP();
if (firstIndeterminateDP != null)
......@@ -82,30 +76,23 @@ abstract class DPOverridesAlgEvaluator extends BaseCombiningAlg.Evaluator<Decida
return firstIndeterminateDP;
}
return getFinalResult(resultHelper.getPepActions(), outPepActions, resultHelper.getApplicablePolicies(null),
outApplicablePolicyIdList, resultHelper.getFirstIndeterminateD(),
return getFinalResult(resultHelper.getPepActions(), outPepActions, resultHelper.getApplicablePolicies(null), outApplicablePolicyIdList, resultHelper.getFirstIndeterminateD(),
resultHelper.getFirstIndeterminateP());
}
/**
* Get overriding Deny/Permit decision, e.g. first Deny (resp. Permit) returned by a combined element in
* deny-overrides (resp. permit-overrides) algorithm, resulting in the algorithm to return it as final result
* immediately. (This corresponds to the for-loop in XACML spec's pseudo-code describing the algorithm.) Or null
* if no such case occurred (and algorithm must go on, i.e. part after the for-loop in XACML spec)
* Get overriding Deny/Permit decision, e.g. first Deny (resp. Permit) returned by a combined element in deny-overrides (resp. permit-overrides) algorithm, resulting in the algorithm to return it
* as final result immediately. (This corresponds to the for-loop in XACML spec's pseudo-code describing the algorithm.) Or null if no such case occurred (and algorithm must go on, i.e. part after
* the for-loop in XACML spec)
*/
protected abstract ExtendedDecision getOverridingDPResult(DecisionResult result,
UpdatablePepActions outPepActions,
UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList,
protected abstract ExtendedDecision getOverridingDPResult(DecisionResult result, UpdatablePepActions outPepActions, UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList,
DPOverridesAlgResultCombiner resultHelper);
/**
* Finish the algorithm based on all PEP actions and applicable policy lists from all combined elements, and
* previously returned Indeterminate{D}/Indeterminate{P} if any
* Finish the algorithm based on all PEP actions and applicable policy lists from all combined elements, and previously returned Indeterminate{D}/Indeterminate{P} if any
*/
protected abstract ExtendedDecision getFinalResult(final PepActions combinedPepActions,
final UpdatablePepActions outPepActions,
final List<JAXBElement<IdReferenceType>> combinedApplicablePolicies,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList,
protected abstract ExtendedDecision getFinalResult(final PepActions combinedPepActions, final UpdatablePepActions outPepActions,
final List<JAXBElement<IdReferenceType>> combinedApplicablePolicies, final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList,
final ExtendedDecision firstIndeterminateD, final ExtendedDecision firstIndeterminateP);
}
\ No newline at end of file
......@@ -22,6 +22,9 @@ import java.util.List;
import javax.xml.bind.JAXBElement;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import org.ow2.authzforce.core.pdp.api.Decidable;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.ExtendedDecision;
......@@ -33,13 +36,9 @@ import org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgParameter;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
/**
* This is the standard XACML 3.0 Deny-Overrides policy/rule combining algorithm. It allows a single evaluation of Deny
* to take precedence over any number of permit, not applicable or indeterminate results. Note that since this
* implementation does an ordered evaluation, this class also supports the Ordered-Deny-Overrides-algorithm.
* This is the standard XACML 3.0 Deny-Overrides policy/rule combining algorithm. It allows a single evaluation of Deny to take precedence over any number of permit, not applicable or indeterminate
* results. Note that since this implementation does an ordered evaluation, this class also supports the Ordered-Deny-Overrides-algorithm.
*
* @version $Id: $
*/
......@@ -48,18 +47,17 @@ final class DenyOverridesAlg extends BaseCombiningAlg<Decidable>
private static final class Evaluator extends DPOverridesAlgEvaluator
{
private Evaluator(final List<? extends Decidable> combinedElements)
private Evaluator(final Iterable<? extends Decidable> combinedElements)
{
super(combinedElements);
}
@Override
protected ExtendedDecision getOverridingDPResult(final DecisionResult result,
final UpdatablePepActions outPepActions,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList,
final DPOverridesAlgResultCombiner resultHelper)
protected ExtendedDecision getOverridingDPResult(final DecisionResult result, final UpdatablePepActions outPepActions,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList, final DPOverridesAlgResultCombiner resultHelper)
{
switch (result.getDecision()) {
switch (result.getDecision())
{
case DENY:
if (outApplicablePolicyIdList != null)
{
......@@ -82,15 +80,12 @@ final class DenyOverridesAlg extends BaseCombiningAlg<Decidable>
}
@Override
protected ExtendedDecision getFinalResult(final PepActions combinedPermitPepActions,
final UpdatablePepActions outPepActions,
final List<JAXBElement<IdReferenceType>> combinedApplicablePolicies,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList,
protected ExtendedDecision getFinalResult(final PepActions combinedPermitPepActions, final UpdatablePepActions outPepActions,
final List<JAXBElement<IdReferenceType>> combinedApplicablePolicies, final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList,
final ExtendedDecision firstIndeterminateD, final ExtendedDecision firstIndeterminateP)
{
/*
* If any Indeterminate{D}, then: if ( any Indeterminate{P} or any Permit ) -> Indeterminate{DP}; else ->
* Indeterminate{D} (this is a simplified equivalent of the algo in the spec)
* If any Indeterminate{D}, then: if ( any Indeterminate{P} or any Permit ) -> Indeterminate{DP}; else -> Indeterminate{D} (this is a simplified equivalent of the algo in the spec)
*/
/*
* atLeastOnePermit == true <=> permitPepActions != null
......@@ -102,11 +97,8 @@ final class DenyOverridesAlg extends BaseCombiningAlg<Decidable>
outApplicablePolicyIdList.addAll(combinedApplicablePolicies);
}
return ExtendedDecisions
.newIndeterminate(
firstIndeterminateP != null || combinedPermitPepActions != null
? DecisionType.INDETERMINATE : DecisionType.DENY,
firstIndeterminateD.getStatus());
return ExtendedDecisions.newIndeterminate(firstIndeterminateP != null || combinedPermitPepActions != null ? DecisionType.INDETERMINATE : DecisionType.DENY,
firstIndeterminateD.getStatus());
}
// if we got a PERMIT or Indeterminate{P}, return it, otherwise it's NOT_APPLICABLE
......@@ -142,8 +134,7 @@ final class DenyOverridesAlg extends BaseCombiningAlg<Decidable>
/** {@inheritDoc} */
@Override
public CombiningAlg.Evaluator getInstance(final List<CombiningAlgParameter<? extends Decidable>> params,
final List<? extends Decidable> combinedElements)
public CombiningAlg.Evaluator getInstance(final Iterable<CombiningAlgParameter<? extends Decidable>> params, final Iterable<? extends Decidable> combinedElements)
throws UnsupportedOperationException, IllegalArgumentException
{
return new Evaluator(combinedElements);
......
......@@ -18,10 +18,11 @@
*/
package org.ow2.authzforce.core.pdp.impl.combining;
import java.util.List;
import javax.xml.bind.JAXBElement;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import org.ow2.authzforce.core.pdp.api.Decidable;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
......@@ -33,9 +34,6 @@ import org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgParameter;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
/**
* Deny-unless-permit combining algorithm
*
......@@ -46,19 +44,17 @@ final class DenyUnlessPermitAlg extends BaseCombiningAlg<Decidable>
private static final class Evaluator extends BaseCombiningAlg.Evaluator<Decidable>
{
private Evaluator(final List<? extends Decidable> combinedElements)
private Evaluator(final Iterable<? extends Decidable> combinedElements)
{
super(combinedElements);
}
@Override
public ExtendedDecision evaluate(final EvaluationContext context, final UpdatablePepActions outPepActions,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList)
public ExtendedDecision evaluate(final EvaluationContext context, final UpdatablePepActions outPepActions, final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList)
{
assert outPepActions != null;
/*
* The final decision cannot be NotApplicable so we can add all applicable policies straight to
* outApplicablePolicyIdList
* The final decision cannot be NotApplicable so we can add all applicable policies straight to outApplicablePolicyIdList
*/
UpdatablePepActions denyPepActions = null;
......@@ -68,12 +64,13 @@ final class DenyUnlessPermitAlg extends BaseCombiningAlg<Decidable>
final DecisionResult result = combinedElement.evaluate(context);
final DecisionType decision = result.getDecision();
/*
* XACML §7.18: Obligations & Advice: do not return obligations/Advice of the rule, policy, or policy
* set that does not match the decision resulting from evaluating the enclosing policy set.
* XACML §7.18: Obligations & Advice: do not return obligations/Advice of the rule, policy, or policy set that does not match the decision resulting from evaluating the enclosing
* policy set.
*
* So if we return Deny, we should add to outPepActions only the PEP actions from Deny decisions
*/
switch (decision) {
switch (decision)
{
case PERMIT:
if (outApplicablePolicyIdList != null)
{
......@@ -101,8 +98,7 @@ final class DenyUnlessPermitAlg extends BaseCombiningAlg<Decidable>
}
/*
* All applicable policies are already in outApplicablePolicyIdList at this point, so nothing else to do
* with it
* All applicable policies are already in outApplicablePolicyIdList at this point, so nothing else to do with it
*/
outPepActions.add(denyPepActions);
......@@ -113,8 +109,7 @@ final class DenyUnlessPermitAlg extends BaseCombiningAlg<Decidable>
/** {@inheritDoc} */
@Override
public CombiningAlg.Evaluator getInstance(final List<CombiningAlgParameter<? extends Decidable>> params,
final List<? extends Decidable> combinedElements)
public CombiningAlg.Evaluator getInstance(final Iterable<CombiningAlgParameter<? extends Decidable>> params, final Iterable<? extends Decidable> combinedElements)
throws UnsupportedOperationException, IllegalArgumentException
{
return new Evaluator(combinedElements);
......
......@@ -18,10 +18,11 @@
*/
package org.ow2.authzforce.core.pdp.impl.combining;
import java.util.List;
import javax.xml.bind.JAXBElement;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import org.ow2.authzforce.core.pdp.api.Decidable;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
......@@ -33,12 +34,8 @@ import org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgParameter;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
/**
* This is the standard First-Applicable policy/rule combining algorithm. It looks through the set of policies/rules,
* finds the first one that applies, and returns that evaluation result.
* This is the standard First-Applicable policy/rule combining algorithm. It looks through the set of policies/rules, finds the first one that applies, and returns that evaluation result.
*
* @version $Id: $
*/
......@@ -48,14 +45,13 @@ final class FirstApplicableAlg extends BaseCombiningAlg<Decidable>
private static final class Evaluator extends BaseCombiningAlg.Evaluator<Decidable>
{
private Evaluator(final List<? extends Decidable> combinedElements)
private Evaluator(final Iterable<? extends Decidable> combinedElements)
{
super(combinedElements);
}
@Override
public ExtendedDecision evaluate(final EvaluationContext context, final UpdatablePepActions outPepActions,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList)
public ExtendedDecision evaluate(final EvaluationContext context, final UpdatablePepActions outPepActions, final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList)
{
for (final Decidable combinedElement : getCombinedElements())
{
......@@ -64,10 +60,10 @@ final class FirstApplicableAlg extends BaseCombiningAlg<Decidable>
final DecisionType decision = result.getDecision();
/*
* In case of PERMIT, DENY, or INDETERMINATE, we always just return that decision, so only on a rule
* that doesn't apply do we keep going...
* In case of PERMIT, DENY, or INDETERMINATE, we always just return that decision, so only on a rule that doesn't apply do we keep going...
*/
switch (decision) {
switch (decision)
{
case PERMIT:
if (outApplicablePolicyIdList != null)
{
......@@ -105,8 +101,7 @@ final class FirstApplicableAlg extends BaseCombiningAlg<Decidable>
/** {@inheritDoc} */
@Override
public CombiningAlg.Evaluator getInstance(final List<CombiningAlgParameter<? extends Decidable>> params,
final List<? extends Decidable> combinedElements)
public CombiningAlg.Evaluator getInstance(final Iterable<CombiningAlgParameter<? extends Decidable>> params, final Iterable<? extends Decidable> combinedElements)
throws UnsupportedOperationException, IllegalArgumentException
{
return new Evaluator(combinedElements);
......
......@@ -18,8 +18,6 @@
*/
package org.ow2.authzforce.core.pdp.impl.combining;
import java.util.List;
import org.ow2.authzforce.core.pdp.api.Decidable;
import org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlg;
......@@ -45,7 +43,7 @@ final class LegacyDenyOverridesAlg extends BaseCombiningAlg<Decidable>
/** {@inheritDoc} */
@Override
public CombiningAlg.Evaluator getInstance(final List<CombiningAlgParameter<? extends Decidable>> params, final List<? extends Decidable> combinedElements)
public CombiningAlg.Evaluator getInstance(final Iterable<CombiningAlgParameter<? extends Decidable>> params, final Iterable<? extends Decidable> combinedElements)
{
throw this.unsupportedLegacyAlgorithmException;
/*
......
......@@ -18,10 +18,9 @@
*/
package org.ow2.authzforce.core.pdp.impl.combining;
import java.util.List;
import org.ow2.authzforce.core.pdp.api.Decidable;
import org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgParameter;
/**
......@@ -44,7 +43,7 @@ final class LegacyPermitOverridesAlg extends BaseCombiningAlg<Decidable>
/** {@inheritDoc} */
@Override
public Evaluator getInstance(final List<CombiningAlgParameter<? extends Decidable>> parameters, final List<? extends Decidable> combinedElements)
public CombiningAlg.Evaluator getInstance(final Iterable<CombiningAlgParameter<? extends Decidable>> parameters, final Iterable<? extends Decidable> combinedElements)
{
throw this.unsupportedLegacyAlgorithmException;
/*
......
......@@ -18,10 +18,11 @@
*/
package org.ow2.authzforce.core.pdp.impl.combining;
import java.util.List;
import javax.xml.bind.JAXBElement;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.api.ExtendedDecision;
......@@ -31,14 +32,12 @@ import org.ow2.authzforce.core.pdp.api.StatusHelper;
import org.ow2.authzforce.core.pdp.api.UpdatableList;
import org.ow2.authzforce.core.pdp.api.UpdatablePepActions;
import org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgParameter;
import org.ow2.authzforce.core.pdp.api.policy.PolicyEvaluator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
/**
* This is the standard only-one-applicable policy combining algorithm.
*
......@@ -53,17 +52,15 @@ final class OnlyOneApplicableAlg extends BaseCombiningAlg<PolicyEvaluator>
private final ExtendedDecision tooManyApplicablePoliciesIndeterminateResult;
private Evaluator(final String algId, final List<? extends PolicyEvaluator> policyElements)
private Evaluator(final String algId, final Iterable<? extends PolicyEvaluator> policyElements)
{
super(policyElements);
this.tooManyApplicablePoliciesIndeterminateResult = ExtendedDecisions
.newIndeterminate(DecisionType.INDETERMINATE, new StatusHelper(StatusHelper.STATUS_PROCESSING_ERROR,
"Too many (more than one) applicable policies for algorithm: " + algId));
this.tooManyApplicablePoliciesIndeterminateResult = ExtendedDecisions.newIndeterminate(DecisionType.INDETERMINATE, new StatusHelper(StatusHelper.STATUS_PROCESSING_ERROR,
"Too many (more than one) applicable policies for algorithm: " + algId));
}
@Override
public ExtendedDecision evaluate(final EvaluationContext context, final UpdatablePepActions outPepActions,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList)
public ExtendedDecision evaluate(final EvaluationContext context, final UpdatablePepActions outPepActions, final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList)
{
assert outPepActions != null;
......@@ -99,13 +96,13 @@ final class OnlyOneApplicableAlg extends BaseCombiningAlg<PolicyEvaluator>
}
/*
* If we got through the loop, it means we found at most one match, then we return the evaluation result of
* that policy if there is a match
* If we got through the loop, it means we found at most one match, then we return the evaluation result of that policy if there is a match
*/
if (selectedPolicy != null)
{
final DecisionResult result = selectedPolicy.evaluate(context, true);
switch (result.getDecision()) {
switch (result.getDecision())
{
case PERMIT:
case DENY:
outPepActions.add(result.getPepActions());
......@@ -135,8 +132,7 @@ final class OnlyOneApplicableAlg extends BaseCombiningAlg<PolicyEvaluator>
/** {@inheritDoc} */
@Override
public Evaluator getInstance(final List<CombiningAlgParameter<? extends PolicyEvaluator>> params,
final List<? extends PolicyEvaluator> combinedElements)
public CombiningAlg.Evaluator getInstance(final Iterable<CombiningAlgParameter<? extends PolicyEvaluator>> params, final Iterable<? extends PolicyEvaluator> combinedElements)
{
return new Evaluator(this.getId(), combinedElements);
}
......
......@@ -22,6 +22,9 @@ import java.util.List;
import javax.xml.bind.JAXBElement;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import org.ow2.authzforce.core.pdp.api.Decidable;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.ExtendedDecision;
......@@ -30,17 +33,14 @@ import org.ow2.authzforce.core.pdp.api.PepActions;
import org.ow2.authzforce.core.pdp.api.UpdatableList;
import org.ow2.authzforce.core.pdp.api.UpdatablePepActions;
import org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgParameter;
import com.google.common.base.Preconditions;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
/**
* This is the standard Permit-Overrides policy/rule combining algorithm. It allows a single evaluation of Permit to
* take precedence over any number of deny, not applicable or indeterminate results. Note that since this implementation
* does an ordered evaluation, this class also supports the Ordered-Permit-Overrides algorithm.
* This is the standard Permit-Overrides policy/rule combining algorithm. It allows a single evaluation of Permit to take precedence over any number of deny, not applicable or indeterminate results.
* Note that since this implementation does an ordered evaluation, this class also supports the Ordered-Permit-Overrides algorithm.
*
* @version $Id: $
*/
......@@ -48,18 +48,17 @@ final class PermitOverridesAlg extends BaseCombiningAlg<Decidable>
{
private static final class Evaluator extends DPOverridesAlgEvaluator
{
private Evaluator(final List<? extends Decidable> combinedElements)
private Evaluator(final Iterable<? extends Decidable> combinedElements)
{
super(combinedElements);
}
@Override
protected ExtendedDecision getOverridingDPResult(final DecisionResult result,
final UpdatablePepActions outPepActions,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList,
final DPOverridesAlgResultCombiner resultHelper)
protected ExtendedDecision getOverridingDPResult(final DecisionResult result, final UpdatablePepActions outPepActions,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList, final DPOverridesAlgResultCombiner resultHelper)
{
switch (result.getDecision()) {
switch (result.getDecision())
{
case PERMIT:
if (outApplicablePolicyIdList != null)
{
......@@ -82,15 +81,12 @@ final class PermitOverridesAlg extends BaseCombiningAlg<Decidable>
}
@Override
protected ExtendedDecision getFinalResult(final PepActions combinedDenyPepActions,
final UpdatablePepActions outPepActions,
final List<JAXBElement<IdReferenceType>> combinedApplicablePolicies,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList,
protected ExtendedDecision getFinalResult(final PepActions combinedDenyPepActions, final UpdatablePepActions outPepActions,
final List<JAXBElement<IdReferenceType>> combinedApplicablePolicies, final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList,
final ExtendedDecision firstIndeterminateD, final ExtendedDecision firstIndeterminateP)
{
/*
* If any Indeterminate{P}, then: if ( any Indeterminate{D} or any Deny ) -> Indeterminate{DP}; else ->
* Indeterminate{P} (this is a simplified equivalent of the algo in the spec)
* If any Indeterminate{P}, then: if ( any Indeterminate{D} or any Deny ) -> Indeterminate{DP}; else -> Indeterminate{P} (this is a simplified equivalent of the algo in the spec)
*/
/*
* atLeastOneDeny == true <=> denyPepActions != null
......@@ -102,8 +98,8 @@ final class PermitOverridesAlg extends BaseCombiningAlg<Decidable>
outApplicablePolicyIdList.addAll(combinedApplicablePolicies);
}
return ExtendedDecisions.newIndeterminate(firstIndeterminateD != null || combinedDenyPepActions != null
? DecisionType.INDETERMINATE : DecisionType.PERMIT, firstIndeterminateP.getStatus());
return ExtendedDecisions.newIndeterminate(firstIndeterminateD != null || combinedDenyPepActions != null ? DecisionType.INDETERMINATE : DecisionType.PERMIT,
firstIndeterminateP.getStatus());
}
if (combinedDenyPepActions != null)
......@@ -134,8 +130,7 @@ final class PermitOverridesAlg extends BaseCombiningAlg<Decidable>
/** {@inheritDoc} */
@Override
public Evaluator getInstance(final List<CombiningAlgParameter<? extends Decidable>> params,
final List<? extends Decidable> combinedElements)
public CombiningAlg.Evaluator getInstance(final Iterable<CombiningAlgParameter<? extends Decidable>> params, final Iterable<? extends Decidable> combinedElements)
{
return new Evaluator(Preconditions.checkNotNull(combinedElements));
}
......
......@@ -18,10 +18,11 @@
*/
package org.ow2.authzforce.core.pdp.impl.combining;
import java.util.List;
import javax.xml.bind.JAXBElement;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import org.ow2.authzforce.core.pdp.api.Decidable;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
......@@ -32,9 +33,6 @@ import org.ow2.authzforce.core.pdp.api.UpdatablePepActions;
import org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgParameter;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
/**
* permit-unless-deny policy algorithm
*
......@@ -46,19 +44,17 @@ final class PermitUnlessDenyAlg extends BaseCombiningAlg<Decidable>
private static final class Evaluator extends BaseCombiningAlg.Evaluator<Decidable>
{
private Evaluator(final List<? extends Decidable> combinedElements)
private Evaluator(final Iterable<? extends Decidable> combinedElements)
{
super(combinedElements);
}
@Override
public ExtendedDecision evaluate(final EvaluationContext context, final UpdatablePepActions outPepActions,
final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList)
public ExtendedDecision evaluate(final EvaluationContext context, final UpdatablePepActions outPepActions, final UpdatableList<JAXBElement<IdReferenceType>> outApplicablePolicyIdList)
{
assert outPepActions != null;
/*
* The final decision cannot be NotApplicable so we can add all applicable policies straight to
* outApplicablePolicyIdList
* The final decision cannot be NotApplicable so we can add all applicable policies straight to outApplicablePolicyIdList
*/
UpdatablePepActions permitPepActions = null;
......@@ -68,12 +64,13 @@ final class PermitUnlessDenyAlg extends BaseCombiningAlg<Decidable>
final DecisionResult result = combinedElement.evaluate(context);
final DecisionType decision = result.getDecision();
/*
* XACML §7.18: Obligations & Advice: do not return obligations/Advice of the rule, policy, or policy
* set that does not match the decision resulting from evaluating the enclosing policy set.
* XACML §7.18: Obligations & Advice: do not return obligations/Advice of the rule, policy, or policy set that does not match the decision resulting from evaluating the enclosing
* policy set.
*
* So if we return Deny, we should add to outPepActions only the PEP actions from Deny decisions
*/
switch (decision) {
switch (decision)
{
case DENY:
if (outApplicablePolicyIdList != null)
{
......@@ -101,8 +98,7 @@ final class PermitUnlessDenyAlg extends BaseCombiningAlg<Decidable>
}
/*
* All applicable policies are already in outApplicablePolicyIdList at this point, so nothing else to do
* with it
* All applicable policies are already in outApplicablePolicyIdList at this point, so nothing else to do with it
*/
outPepActions.add(permitPepActions);
......@@ -113,8 +109,7 @@ final class PermitUnlessDenyAlg extends BaseCombiningAlg<Decidable>
/** {@inheritDoc} */
@Override
public Evaluator getInstance(final List<CombiningAlgParameter<? extends Decidable>> params,
final List<? extends Decidable> combinedElements)
public Evaluator getInstance(final Iterable<CombiningAlgParameter<? extends Decidable>> params, final Iterable<? extends Decidable> combinedElements)
{
return new Evaluator(combinedElements);
}
......
......@@ -290,6 +290,8 @@ public class CoreRefPolicyProviderModule implements StaticRefPolicyProviderModul
private final PolicyMap<StaticTopLevelPolicyElementEvaluator> policyMap;
private final PolicyMap<PolicyWithNamespaces<PolicySet>> jaxbPolicySetMap;
private final Table<String, PolicyVersion, StaticTopLevelPolicyElementEvaluator> policySetMapToUpdate;
private final Set<String> parsedPolicyIds;
private final Set<String> parsedPolicySetIds =
private InitOnlyRefPolicyProvider(final PolicyMap<StaticTopLevelPolicyElementEvaluator> policyMap,
final PolicyMap<PolicyWithNamespaces<PolicySet>> jaxbPolicySetMap,
......
This source diff could not be displayed because it is too large. You can view the blob instead.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment