Commit 92736549 authored by cdanger's avatar cdanger
Browse files

Merge branch 'release/15.0.0'

Conflicts:
	CHANGELOG.md
	pdp-cli/pom.xml
	pdp-engine/pom.xml
	pdp-io-xacml-json/pom.xml
	pdp-testutils/pom.xml
	pom.xml
parents f0076229 b464ea81
This diff is collapsed.
## Migration from v14.x to 15.x
- Modify the PDP configuration (XML): replace the XML namespace `http://authzforce.github.io/core/xmlns/pdp/7.0` with `http://authzforce.github.io/core/xmlns/pdp/7`.
## Migration from v13.x to v14.x
- Make sure all your custom PolicyProviders implement the new PolicyProvider interfaces, i.e. BaseStaticPolicyProvider or, as fallback option, CloseableStaticPolicyProvider
- Modify the PDP configuration (XML):
......
......@@ -115,7 +115,7 @@ To give you an example on how to test a XACML Policy (or PolicySet) and Request,
$ ./authzforce-ce-core-pdp-cli-14.0.0.jar pdp.xml IIA001/Request.xml
```
* `pdp.xml`: PDP configuration file, that defines the location(s) of XACML policy(ies), among other PDP engine parameters; the content of this file is a XML document compliant with the PDP configuration [XML schema](pdp-engine/src/main/resources/pdp.xsd), so you can read the documentation of every configuration parameter in that schema file; **Feel free to change the policy location to point to your own for testing.**
* `pdp.xml`: PDP configuration file in XML format, that defines the location(s) of XACML policy(ies) and more; for more information about PDP configuration parameters, the configuration format is fully specified and documented in the [XML schema `pdp.xsd`](pdp-engine/src/main/resources/pdp.xsd), also available in a [more user-friendly HTML form](https://authzforce.github.io/pdp.xsd/7.1). **Feel free to change the policy location to point to your own for testing.**
* `Request.xml`: XACML request in XACML 3.0/XML (core specification) format. **Feel free to replace with your own for testing.**
If you want to test the JSON Profile of XACML 3.0, run it with extra option `-t XACML_JSON`:
......@@ -147,15 +147,14 @@ Since this is a Maven artifact and it requires dependencies, you should build yo
To get started using a PDP to evaluate XACML requests, the first step is to write/get a XACML 3.0 policy. Please refer to [XACML v3.0 - Core standard](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html) for the syntax. For a basic example, see [this one](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/mandatory/IIA001/IIA001Policy.xml).
Then instantiate a PDP engine configuration with method [PdpEngineConfiguration#getInstance(String)](pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpEngineConfiguration.java#L663). The required parameter *confLocation* must be the location of the PDP configuration file. The content of such file is a XML document compliant with the PDP configuration [XML schema](pdp-engine/src/main/resources/pdp.xsd). This schema defines every configuration parameter with associated documentation. Here is a minimal example of configuration:
Then instantiate a PDP engine configuration with method [PdpEngineConfiguration#getInstance(String)](pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpEngineConfiguration.java#L663). The required parameter *confLocation* must be the location of the PDP configuration file. For more information about PDP configuration parameters, the configuration format is fully specified and documented in the [XML schema `pdp.xsd`](pdp-engine/src/main/resources/pdp.xsd), also available in a [more user-friendly HTML form](https://authzforce.github.io/pdp.xsd/7.1). Here is a minimal example of configuration:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7">
<policyProvider id="policyProvider" xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/policy.xml</policyLocation>
</policyProvider>
<rootPolicyRef>root</rootPolicyRef>
</pdp>
```
This is a basic PDP configuration with basic settings and the root policy (XACML 3.0 Policy document) loaded from a file `policy.xml` located in the same directory as this PDP configuration file (see previous paragraph for an example of policy).
......
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>14.0.1</version>
<version>15.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-cli</artifactId>
......@@ -30,12 +30,12 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
<version>14.0.1</version>
<version>15.0.0</version>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
<version>14.0.1</version>
<version>15.0.0</version>
</dependency>
<dependency>
<groupId>org.testng</groupId>
......@@ -46,7 +46,7 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
<version>14.0.1</version>
<version>15.0.0</version>
<scope>test</scope>
</dependency>
</dependencies>
......
<?xml version="1.0" encoding="UTF-8"?>
<pdp
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0"
version="7.0.0">
xmlns="http://authzforce.github.io/core/xmlns/pdp/7"
version="7.1">
<policyProvider
id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
......
......@@ -3,7 +3,11 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<<<<<<< HEAD
<version>14.0.1</version>
=======
<version>15.0.0</version>
>>>>>>> refs/heads/release/15.0.0
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
......
......@@ -56,6 +56,7 @@ import org.ow2.authzforce.core.pdp.api.func.Function;
import org.ow2.authzforce.core.pdp.api.io.XacmlJaxbParsingUtils;
import org.ow2.authzforce.core.pdp.api.policy.CloseablePolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPatterns;
import org.ow2.authzforce.core.pdp.api.policy.PrimaryPolicyMetadata;
import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType;
import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory;
import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry;
......@@ -91,6 +92,9 @@ import com.google.common.collect.ImmutableMap;
*/
public final class PdpEngineConfiguration
{
private static final IllegalArgumentException ILLEGAL_ROOT_POLICY_REF_CONFIG_EXCEPTION = new IllegalArgumentException(
"Configuration parameter 'rootPolicyRef' is undefined and 'policyProvider' does not provide any candidate root policy. Please define 'rootPolicyRef' parameter or modify the Policy Provider to return a candidate root policy.");
private static final IllegalArgumentException NULL_REQPREPROC_EXCEPTION = new IllegalArgumentException(
"Undefined request preprocessor ('requestPreproc' element) in I/O processing chain ('ioProcChain' element)");
......@@ -374,14 +378,31 @@ public final class PdpEngineConfiguration
final TopLevelPolicyElementRef rootPolicyRef = pdpJaxbConf.getRootPolicyRef();
/*
* PDP XSD assumed to ensure rootPolicyRef is defined
* If rootPolicyRef is undefined, we expect the Policy Provider to provide one and only once static policy, the one to be used as root policy.
*/
assert rootPolicyRef != null;
final Boolean mustBePolicySet = rootPolicyRef.isPolicySet();
this.rootPolicyElementType = mustBePolicySet == null ? Optional.empty()
: mustBePolicySet.booleanValue() ? Optional.of(TopLevelPolicyElementType.POLICY_SET) : Optional.of(TopLevelPolicyElementType.POLICY);
this.rootPolicyId = rootPolicyRef.getValue();
this.rootPolicyVersionPatterns = Optional.ofNullable(new PolicyVersionPatterns(rootPolicyRef.getVersion(), null, null));
if (rootPolicyRef == null)
{
LOGGER.debug("'rootPolicyRef' configuration parameter undefined. Getting root policy reference from 'policyProvider': {}", policyProvider);
final Optional<PrimaryPolicyMetadata> candidateRootPolicyMeta = policyProvider.getCandidateRootPolicy();
if (!candidateRootPolicyMeta.isPresent())
{
throw ILLEGAL_ROOT_POLICY_REF_CONFIG_EXCEPTION;
}
final PrimaryPolicyMetadata nonNullCandidateRootPolicyRef = candidateRootPolicyMeta.get();
LOGGER.info("'rootPolicyRef' undefined in PDP configuration -> setting root policy to the one candidate returned by the PolicyProvider: {}", nonNullCandidateRootPolicyRef);
this.rootPolicyElementType = Optional.of(nonNullCandidateRootPolicyRef.getType());
this.rootPolicyId = nonNullCandidateRootPolicyRef.getId();
this.rootPolicyVersionPatterns = Optional.of(new PolicyVersionPatterns(nonNullCandidateRootPolicyRef.getVersion().toString(), null, null));
}
else
{
final Boolean mustBePolicySet = rootPolicyRef.isPolicySet();
this.rootPolicyElementType = mustBePolicySet == null ? Optional.empty()
: mustBePolicySet.booleanValue() ? Optional.of(TopLevelPolicyElementType.POLICY_SET) : Optional.of(TopLevelPolicyElementType.POLICY);
this.rootPolicyId = rootPolicyRef.getValue();
this.rootPolicyVersionPatterns = Optional.ofNullable(new PolicyVersionPatterns(rootPolicyRef.getVersion(), null, null));
}
// Decision cache
final AbstractDecisionCache decisionCacheJaxbConf = pdpJaxbConf.getDecisionCache();
......
......@@ -28,6 +28,7 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Deque;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
......@@ -44,12 +45,15 @@ import org.ow2.authzforce.core.pdp.api.XmlUtils.XmlnsFilteringParser;
import org.ow2.authzforce.core.pdp.api.XmlUtils.XmlnsFilteringParserFactory;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgRegistry;
import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.policy.BasePrimaryPolicyMetadata;
import org.ow2.authzforce.core.pdp.api.policy.BaseStaticPolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.CloseablePolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.PolicyRefsMetadata;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersion;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPatterns;
import org.ow2.authzforce.core.pdp.api.policy.PrimaryPolicyMetadata;
import org.ow2.authzforce.core.pdp.api.policy.StaticTopLevelPolicyElementEvaluator;
import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.ResourceUtils;
......@@ -716,6 +720,73 @@ public class CoreStaticPolicyProvider extends BaseStaticPolicyProvider
return policy;
}
/**
* Returns the latest version of the policy if there is only one in #{@code policyMap}; else null.
*/
private static final <P> PrimaryPolicyMetadata getCandidateRootPolicy(final TopLevelPolicyElementType policyElementType, final PolicyMap<P> policyMap)
{
final Iterator<Entry<String, PolicyVersions<P>>> policyEvaluatorsIt = policyMap.entrySet().iterator();
if (!policyEvaluatorsIt.hasNext())
{
/*
* No policy
*/
return null;
}
/*
* There is at least one policy
*/
final Entry<String, PolicyVersions<P>> firstPolicyEvaluatorEntry = policyEvaluatorsIt.next();
/*
* If there is only one policy, it is the candidate root policy; else we don't know which one so return none.
*/
if (policyEvaluatorsIt.hasNext())
{
return null;
}
/*
* There is only one policy, use latest version as candidate root policy
*/
final Entry<PolicyVersion, P> latestPolicyVersion = firstPolicyEvaluatorEntry.getValue().getLatest(Optional.empty());
assert latestPolicyVersion != null;
final BasePrimaryPolicyMetadata candidateRootPolicyMeta = new BasePrimaryPolicyMetadata(policyElementType, firstPolicyEvaluatorEntry.getKey(), latestPolicyVersion.getKey());
return candidateRootPolicyMeta;
}
/**
* Returns the candidate root policy which is in this case determined as follows: if there is one and only one Policy provided, return the latest version of this Policy; else if there is one and
* only one PolicySet, return the latest version of this PolicySet; else none.
*/
@Override
public Optional<PrimaryPolicyMetadata> getCandidateRootPolicy()
{
/*
* Look for the one and only Policy
*/
final PrimaryPolicyMetadata candidateRootPolicy = getCandidateRootPolicy(TopLevelPolicyElementType.POLICY, this.policyEvaluatorMap);
if (candidateRootPolicy != null)
{
return Optional.of(candidateRootPolicy);
}
/*
* No single Policy, try with PolicySet
*/
final PrimaryPolicyMetadata candidateRootPolicySet = getCandidateRootPolicy(TopLevelPolicyElementType.POLICY_SET, this.policySetEvaluatorMap);
if (candidateRootPolicySet != null)
{
return Optional.of(candidateRootPolicySet);
}
/*
* No single policy(set)
*/
return Optional.empty();
}
@Override
public void close()
{
......
This diff is collapsed.
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>14.0.1</version>
<version>15.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
......@@ -41,7 +41,7 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
<version>14.0.1</version>
<version>15.0.0</version>
<scope>test</scope>
</dependency>
</dependencies>
......
......@@ -2,8 +2,8 @@
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0"
version="7.0.0">
xmlns="http://authzforce.github.io/core/xmlns/pdp/7"
version="7.1">
<policyProvider
id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
......
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>14.0.1</version>
<version>15.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
......@@ -23,7 +23,7 @@
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core-pdp-engine</artifactId>
<version>14.0.1</version>
<version>15.0.0</version>
</dependency>
<dependency>
<groupId>org.mongodb</groupId>
......
......@@ -2,12 +2,11 @@
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0"
version="7.0.0">
xmlns="http://authzforce.github.io/core/xmlns/pdp/7"
version="7.1">
<policyProvider
id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/policies/*.xml</policyLocation>
</policyProvider>
<rootPolicyRef>root</rootPolicyRef>
</pdp>
<?xml version="1.0" encoding="UTF-8"?>
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" version="7.1">
<policyProvider
id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/policies/*.xml</policyLocation>
</policyProvider>
<rootPolicyRef>root</rootPolicyRef>
</pdp>
<?xml version="1.0" encoding="UTF-8"?>
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" version="7.1">
<policyProvider
id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/policies/*.xml</policyLocation>
</policyProvider>
<rootPolicyRef>root</rootPolicyRef>
</pdp>
<?xml version="1.0" encoding="UTF-8"?>
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" version="7.1">
<policyProvider
id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/policies/*.xml</policyLocation>
</policyProvider>
<rootPolicyRef>root</rootPolicyRef>
</pdp>
<?xml version="1.0" encoding="UTF-8"?>
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" version="7.1">
<policyProvider
id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/policies/*.xml</policyLocation>
</policyProvider>
<rootPolicyRef>root</rootPolicyRef>
</pdp>
<?xml version="1.0" encoding="UTF-8"?>
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" version="7.1">
<policyProvider
id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/policies/*.xml</policyLocation>
</policyProvider>
<rootPolicyRef>root</rootPolicyRef>
</pdp>
<?xml version="1.0" encoding="UTF-8"?>
<tns:attributeProvider id="test" xmlns:tns="http://authzforce.github.io/core/xmlns/pdp/7.0" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:test="http://authzforce.github.io/core/xmlns/test/3"
<tns:attributeProvider id="test" xmlns:tns="http://authzforce.github.io/core/xmlns/pdp/7" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:test="http://authzforce.github.io/core/xmlns/test/3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="test:TestAttributeProviderDescriptor">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:example:attribute:role" IncludeInResult="false">
......
......@@ -2,15 +2,14 @@
<!-- Testing parameter 'maxPolicySetRefDepth' -->
<pdp
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0"
version="7.0.0">
xmlns="http://authzforce.github.io/core/xmlns/pdp/7"
version="7.1">
<combiningAlgorithm>urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:on-permit-apply-second</combiningAlgorithm>
<policyProvider
id="refPolicyprovider"
xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/policies/*.xml</policyLocation>
</policyProvider>
<rootPolicyRef>root</rootPolicyRef>
<ioProcChain>
<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-lax</requestPreproc>
</ioProcChain>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment