Commit 9be728ec authored by cdanger's avatar cdanger

Merge branch 'release/3.8.0'

parents 1b4ccc36 67025e7e
......@@ -11,3 +11,4 @@
*.log
/.pmd
/.eclipse-pmd
/.pmdruleset.xml
# Change log
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions.
## 3.8.0
### Changed
- PDP XML schema: maxVariableRefDepth and maxPolicyRefDepth attributes made optional (instead of required)
### Added
- PDP XML schema: 'requestFilter' attribute (RequestFilter extension):
- Added documentation about natively supported values, with '-lax' suffix meaning that duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request is allowed (in compliance with XACML 3.0 core spec, §7.3.3), and '-strict' suffix meaning that it is not allowed (not strictly compliant with XACML 3.0 Core, section 7.3.3):
- 'urn:ow2:authzforce:xacml:request-filter:default-lax' and 'urn:ow2:authzforce:xacml:request-filter:default-strict': default requestFilter limited to what is specified in XACML 3.0 Core specification
- 'urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-lax' and 'urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-strict': implement Multiple Decision Profile, section 2.3 (repeated attribute categories)
- Added XSD-defined default value for this 'requestFilter' attribute: 'urn:ow2:authzforce:xacml:request-filter:default-lax'
- Support for Extended Indeterminate values (XACML 3.0 Core specification, section 7.10-7.14, appendix C: combining algorithms)
- PdpImpl#getStaticApplicablePolicies() method that provides all the PDP's applicable policies (root and referenced - directly or indirectly - from the root policy) if all are statically resolved. This allows PDP clients to know all the policies (if statically resolved) possibly used by the PDP during the evaluation.
## 3.7.0
### Added
- Root policy provider module based on any policy-by-reference provider (parameter is the root policy reference to be resolved by the policy-by-reference provider)
......
# Contribution Rules
- No SNAPSHOT dependencies on "develop" and obviously "master" branches
\ No newline at end of file
1. No SNAPSHOT dependencies on "develop" and obviously "master" branches
# Releases
1. Start a release: `$ mvn jgitflow:release-start`
2. Remove any SNAPSHOT dependency
3. Update the CHANGELOG.md
4. Finish a release: `$ mvn jgitflow:release-finish`
More info on jgitflow: http://jgitflow.bitbucket.org/
......@@ -6,7 +6,7 @@
<version>3.3.7</version>
</parent>
<artifactId>authzforce-ce-core</artifactId>
<version>3.7.0</version>
<version>3.8.0</version>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthZForce Community Edition - XACML-compliant Core Engine</description>
<url>https://tuleap.ow2.org/projects/authzforce</url>
......@@ -55,8 +55,8 @@
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core-pdp-api</artifactId>
<!-- Major/minor version should match this artifact major/minor version to respect Semantic Versioning; -->
<version>3.6.1</version>
<!-- Major/minor version should match this artifact major/minor version to respect Semantic Versioning -->
<version>3.7.0</version>
</dependency>
<!-- /Authzforce dependencies -->
......@@ -232,6 +232,9 @@
<version>2.12.4</version>
<configuration>
<skipTests>false</skipTests>
<systemPropertyVariables>
<javax.xml.accessExternalSchema>all</javax.xml.accessExternalSchema>
</systemPropertyVariables>
<includes>
<include>**/MainTest.java</include>
</includes>
......
......@@ -35,7 +35,8 @@ import org.ow2.authzforce.core.pdp.api.PepActions;
*/
public final class BaseDecisionResult implements DecisionResult
{
private static final IllegalArgumentException ILLEGAL_DECISION_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined Decision");
private static final IllegalArgumentException ILLEGAL_DECISION_ARGUMENT_EXCEPTION = new IllegalArgumentException(
"Undefined Decision");
/**
* NotApplicable decision result
......@@ -54,6 +55,21 @@ public final class BaseDecisionResult implements DecisionResult
private final DecisionType decision;
/**
* Extended Indeterminate value, as defined in section 7.10 of XACML 3.0 core: <i>potential effect value which could
* have occurred if there would not have been an error causing the “Indeterminate”</i>. We use the following
* convention:
* <ul>
* <li>{@link DecisionType#DENY} means "Indeterminate{D}"</li>
* <li>{@link DecisionType#PERMIT} means "Indeterminate{P}"</li>
* <li>Null means "Indeterminate{DP}"</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not Indeterminate, and
* therefore any extended Indeterminate value should be ignored</li>
* </ul>
*
*/
private final DecisionType extIndeterminate;
private final Status status;
// initialized non-null
......@@ -67,6 +83,8 @@ public final class BaseDecisionResult implements DecisionResult
*
* @param decision
* decision
* @param extendedIndeterminate
* Extended Indeterminate value, null if {@code decision != DecisionType.INDETERMINATE}
* @param status
* status
* @param pepActions
......@@ -74,7 +92,8 @@ public final class BaseDecisionResult implements DecisionResult
* @param policyIdentifierList
* list of matched policy identifiers
*/
public BaseDecisionResult(DecisionType decision, Status status, PepActions pepActions, List<JAXBElement<IdReferenceType>> policyIdentifierList)
public BaseDecisionResult(DecisionType decision, DecisionType extendedIndeterminate, Status status,
PepActions pepActions, List<JAXBElement<IdReferenceType>> policyIdentifierList)
{
if (decision == null)
{
......@@ -82,26 +101,51 @@ public final class BaseDecisionResult implements DecisionResult
}
this.decision = decision;
this.extIndeterminate = extendedIndeterminate;
this.status = status;
this.pepActions = pepActions == null ? new BasePepActions(null, null) : pepActions;
this.applicablePolicyIdList = policyIdentifierList == null ? new ArrayList<JAXBElement<IdReferenceType>>() : policyIdentifierList;
this.applicablePolicyIdList = policyIdentifierList == null ? new ArrayList<JAXBElement<IdReferenceType>>()
: policyIdentifierList;
}
/**
* Instantiates a Indeterminate Decision result with a given error status
*
* @param extendedIndeterminate
* Extended Indeterminate value (XACML 3.0 Core, section 7.10). We use the following convention:
* <ul>
* <li>{@link DecisionType#DENY} means "Indeterminate{D}"</li>
* <li>{@link DecisionType#PERMIT} means "Indeterminate{P}"</li>
* <li>{@link DecisionType#INDETERMINATE} means "Indeterminate{DP}"</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not
* Indeterminate, and therefore any extended Indeterminate value should be ignored</li>
* </ul>
*
* @param status
* reason/code for Indeterminate
*/
public BaseDecisionResult(Status status, DecisionType extendedIndeterminate)
{
this(DecisionType.INDETERMINATE, extendedIndeterminate, status, null, null);
}
/**
* Instantiates a Indeterminate Decision result with a given error status and extended Indeterminate set to
* Indeterminate{DP}
*
* @param status
* reason/code for Indeterminate
*/
public BaseDecisionResult(Status status)
{
this(DecisionType.INDETERMINATE, status, null, null);
this(DecisionType.INDETERMINATE, DecisionType.INDETERMINATE, status, null, null);
}
/**
* Instantiates a Permit/Deny decision with optional obligations and advice. See {@link #BaseDecisionResult(Status)} for Indeterminate, and
* {@link #NOT_APPLICABLE} for NotApplicable.
* Instantiates a Permit/Deny decision with optional obligations and advice. See
* {@link #BaseDecisionResult(Status, DecisionType)} for Indeterminate, and {@link #NOT_APPLICABLE} for
* NotApplicable.
*
* @param decision
* decision
......@@ -110,7 +154,7 @@ public final class BaseDecisionResult implements DecisionResult
*/
public BaseDecisionResult(DecisionType decision, PepActions pepActions)
{
this(decision, null, pepActions, null);
this(decision, DecisionType.NOT_APPLICABLE, null, pepActions, null);
}
private transient volatile int hashCode = 0;
......@@ -120,7 +164,8 @@ public final class BaseDecisionResult implements DecisionResult
{
if (hashCode == 0)
{
hashCode = Objects.hash(this.decision, this.status, this.pepActions, this.applicablePolicyIdList);
hashCode = Objects.hash(this.decision, this.extIndeterminate, this.status, this.pepActions,
this.applicablePolicyIdList);
}
return hashCode;
......@@ -145,6 +190,11 @@ public final class BaseDecisionResult implements DecisionResult
return false;
}
if (this.extIndeterminate != other.getExtendedIndeterminate())
{
return false;
}
// Status is optional in XACML
if (this.status == null)
{
......@@ -218,7 +268,8 @@ public final class BaseDecisionResult implements DecisionResult
}
/**
* Merge extra PEP actions and/or matched policy identifiers. Used when combining results from child Rules of Policy or child Policies of PolicySet
* Merge extra PEP actions and/or matched policy identifiers. Used when combining results from child Rules of Policy
* or child Policies of PolicySet
*
* @param newPepActions
* new PEP actions
......@@ -242,8 +293,14 @@ public final class BaseDecisionResult implements DecisionResult
@Override
public String toString()
{
return "Result [decision=" + decision + ", status=" + status + ", pepActions=" + pepActions + ", applicablePolicyIdList=" + applicablePolicyIdList
+ "]";
return "Result [decision=" + decision + ", status=" + status + ", pepActions=" + pepActions
+ ", applicablePolicyIdList=" + applicablePolicyIdList + "]";
}
@Override
public DecisionType getExtendedIndeterminate()
{
return this.extIndeterminate;
}
}
......@@ -19,10 +19,6 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import org.ow2.authzforce.core.pdp.api.BaseRequestFilter;
import org.ow2.authzforce.core.pdp.api.DatatypeFactoryRegistry;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
......@@ -32,6 +28,10 @@ import org.ow2.authzforce.core.pdp.api.RequestFilter;
import org.ow2.authzforce.core.pdp.api.SingleCategoryAttributes;
import org.ow2.authzforce.core.pdp.api.StatusHelper;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
/**
* Default Request filter for Individual Decision Requests only (no support of Multiple Decision Profile in particular)
*
......@@ -46,7 +46,10 @@ public final class DefaultRequestFilter extends BaseRequestFilter
*/
public static final class LaxFilterFactory implements RequestFilter.Factory
{
private static final String ID = "urn:thalesgroup:xacml:request-filter:default-lax";
/**
* Request filter ID, as returned by {@link #getId()}
*/
public static final String ID = "urn:ow2:authzforce:xacml:request-filter:default-lax";
@Override
public String getId()
......@@ -55,8 +58,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
}
@Override
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath,
Processor xmlProcessor)
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath, Processor xmlProcessor)
{
return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, true, requireContentForXPath, xmlProcessor);
}
......@@ -76,7 +78,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
*/
public static final class StrictFilterFactory implements RequestFilter.Factory
{
private static final String ID = "urn:thalesgroup:xacml:request-filter:default-strict";
private static final String ID = "urn:ow2:authzforce:xacml:request-filter:default-strict";
@Override
public String getId()
......@@ -85,23 +87,19 @@ public final class DefaultRequestFilter extends BaseRequestFilter
}
@Override
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath,
Processor xmlProcessor)
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath, Processor xmlProcessor)
{
return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, false, requireContentForXPath, xmlProcessor);
}
}
private DefaultRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates,
boolean requireContentForXPath, Processor xmlProcessor)
private DefaultRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, Processor xmlProcessor)
{
super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, xmlProcessor);
}
@Override
public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser,
boolean isApplicablePolicyIdListReturned, boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix)
throws IndeterminateEvaluationException
public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser, boolean isApplicablePolicyIdListReturned, boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
{
/*
......@@ -123,9 +121,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
final String categoryName = jaxbAttributes.getCategory();
if (!attrCategoryNames.add(categoryName))
{
throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName
+ "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)",
StatusHelper.STATUS_SYNTAX_ERROR);
throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName + "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", StatusHelper.STATUS_SYNTAX_ERROR);
}
final SingleCategoryAttributes<?> categorySpecificAttributes = xacmlAttrsParser.parseAttributes(jaxbAttributes, xPathCompiler);
......
......@@ -22,10 +22,6 @@ import java.util.Map;
import java.util.Map.Entry;
import java.util.Queue;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import org.ow2.authzforce.core.pdp.api.BaseRequestFilter;
import org.ow2.authzforce.core.pdp.api.DatatypeFactoryRegistry;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
......@@ -35,8 +31,12 @@ import org.ow2.authzforce.core.pdp.api.RequestFilter;
import org.ow2.authzforce.core.pdp.api.SingleCategoryAttributes;
import org.ow2.authzforce.core.pdp.api.StatusHelper;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
/**
* Request filter implementing Multiple Decision Request, section 2.3 (repeated attribute categories). Other schems are not supported.
* Request filter implementing Multiple Decision Profile, section 2.3 (repeated attribute categories). Other schemes are not supported.
*
*/
public final class MultiDecisionRequestFilter extends BaseRequestFilter
......@@ -49,7 +49,10 @@ public final class MultiDecisionRequestFilter extends BaseRequestFilter
*/
public static final class LaxFilterFactory implements RequestFilter.Factory
{
private static final String ID = "urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories-lax";
/**
* Request filter ID, returned by {@link #getId()}
*/
public static final String ID = "urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-lax";
@Override
public String getId()
......@@ -58,8 +61,7 @@ public final class MultiDecisionRequestFilter extends BaseRequestFilter
}
@Override
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath,
Processor xmlProcessor)
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath, Processor xmlProcessor)
{
return new MultiDecisionRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, true, requireContentForXPath, xmlProcessor);
}
......@@ -73,7 +75,10 @@ public final class MultiDecisionRequestFilter extends BaseRequestFilter
*/
public static final class StrictFilterFactory implements RequestFilter.Factory
{
private static final String ID = "urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories-strict";
/**
* Request filter ID, returned by {@link #getId()}
*/
public static final String ID = "urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-strict";
@Override
public String getId()
......@@ -82,8 +87,7 @@ public final class MultiDecisionRequestFilter extends BaseRequestFilter
}
@Override
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath,
Processor xmlProcessor)
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath, Processor xmlProcessor)
{
return new MultiDecisionRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, false, requireContentForXPath, xmlProcessor);
}
......@@ -91,16 +95,13 @@ public final class MultiDecisionRequestFilter extends BaseRequestFilter
// private static Logger LOGGER = LoggerFactory.getLogger(MultiDecisionRequestFilter.class);
private MultiDecisionRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates,
boolean requireContentForXPath, Processor xmlProcessor)
private MultiDecisionRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, Processor xmlProcessor)
{
super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, xmlProcessor);
}
@Override
public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser,
boolean isApplicablePolicyIdListReturned, boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix)
throws IndeterminateEvaluationException
public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser, boolean isApplicablePolicyIdListReturned, boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
{
/*
* Parse Request attributes and group possibly repeated categories to implement Multiple Decision Profile, §2.3.
......
......@@ -25,11 +25,6 @@ import java.util.Set;
import javax.xml.datatype.XMLGregorianCalendar;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Result;
import org.ow2.authzforce.core.pdp.api.AttributeGUID;
import org.ow2.authzforce.core.pdp.api.Bag;
import org.ow2.authzforce.core.pdp.api.Bags;
......@@ -46,6 +41,7 @@ import org.ow2.authzforce.core.pdp.api.StatusHelper;
import org.ow2.authzforce.core.pdp.api.XMLUtils;
import org.ow2.authzforce.core.pdp.impl.func.FunctionRegistry;
import org.ow2.authzforce.core.pdp.impl.policy.RootPolicyEvaluator;
import org.ow2.authzforce.core.pdp.impl.policy.StaticApplicablePolicyView;
import org.ow2.authzforce.core.pdp.impl.value.DatatypeConstants;
import org.ow2.authzforce.core.pdp.impl.value.DateTimeValue;
import org.ow2.authzforce.core.pdp.impl.value.DateValue;
......@@ -58,6 +54,11 @@ import org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Result;
/**
* This is the core XACML PDP engine implementation. To build an XACML policy engine, you start by instantiating this object directly or in a easier and
* preferred way, using {@link PdpConfigurationParser}.
......@@ -97,8 +98,7 @@ public class PDPImpl implements CloseablePDP
// the logger we'll use for all messages
private static final Logger _LOGGER = LoggerFactory.getLogger(CachingIndividualRequestEvaluator.class);
private static final Result INVALID_DECISION_CACHE_RESULT = new Result(DecisionType.INDETERMINATE, new StatusHelper(
StatusHelper.STATUS_PROCESSING_ERROR, "Internal error"), null, null, null, null);
private static final Result INVALID_DECISION_CACHE_RESULT = new Result(DecisionType.INDETERMINATE, new StatusHelper(StatusHelper.STATUS_PROCESSING_ERROR, "Internal error"), null, null, null, null);
private final DecisionCache decisionCache;
......@@ -120,14 +120,15 @@ public class PDPImpl implements CloseablePDP
return Collections.singletonList(INVALID_DECISION_CACHE_RESULT);
}
// At least check that we have as many results from cache as input requests
// (For each request with no result in cache, there must still be an entry with value
// At least check that we have as many results from cache as input
// requests
// (For each request with no result in cache, there must still be an
// entry with value
// null.)
if (cachedResultsByRequest.size() != individualDecisionRequests.size())
{
// error, return indeterminate result as only result
_LOGGER.error("Invalid decision cache result: number of returned decision results ({}) != number of input (individual) decision requests ({})",
cachedResultsByRequest.size(), individualDecisionRequests.size());
_LOGGER.error("Invalid decision cache result: number of returned decision results ({}) != number of input (individual) decision requests ({})", cachedResultsByRequest.size(), individualDecisionRequests.size());
return Collections.singletonList(INVALID_DECISION_CACHE_RESULT);
}
......@@ -144,8 +145,7 @@ public class PDPImpl implements CloseablePDP
final IndividualDecisionRequest individuaDecisionRequest = cachedRequestResultPair.getKey();
if (individuaDecisionRequest == null)
{
throw new RuntimeException("One of the entry keys (individual decision request) returned by the decision cache implementation '"
+ decisionCache + "' is invalid (null).");
throw new RuntimeException("One of the entry keys (individual decision request) returned by the decision cache implementation '" + decisionCache + "' is invalid (null).");
}
finalResult = super.evaluate(individuaDecisionRequest, pdpIssuedAttributes);
......@@ -172,22 +172,17 @@ public class PDPImpl implements CloseablePDP
* Indeterminate response iff CombinedDecision element not supported because the request parser does not support any scheme from MultipleDecisionProfile
* section 2.
*/
private static final Response UNSUPPORTED_COMBINED_DECISION_RESPONSE = new Response(Collections.<Result> singletonList(new Result(
DecisionType.INDETERMINATE, new StatusHelper(StatusHelper.STATUS_SYNTAX_ERROR, "Unsupported feature: CombinedDecision='true'"), null, null, null,
null)));
private static final Response UNSUPPORTED_COMBINED_DECISION_RESPONSE = new Response(Collections.<Result> singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(StatusHelper.STATUS_SYNTAX_ERROR, "Unsupported feature: CombinedDecision='true'"), null, null, null, null)));
private static final AttributeGUID ENVIRONMENT_CURRENT_TIME_ATTRIBUTE_GUID = new AttributeGUID(
XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_TIME.value());
private static final AttributeGUID ENVIRONMENT_CURRENT_TIME_ATTRIBUTE_GUID = new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_TIME.value());
private static final AttributeGUID ENVIRONMENT_CURRENT_DATE_ATTRIBUTE_GUID = new AttributeGUID(
XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATE.value());
private static final AttributeGUID ENVIRONMENT_CURRENT_DATE_ATTRIBUTE_GUID = new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATE.value());
private static final AttributeGUID ENVIRONMENT_CURRENT_DATETIME_ATTRIBUTE_GUID = new AttributeGUID(
XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATETIME.value());
private static final AttributeGUID ENVIRONMENT_CURRENT_DATETIME_ATTRIBUTE_GUID = new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATETIME.value());
private static final DecisionResultFilter DEFAULT_RESULT_FILTER = new DecisionResultFilter()
{
private static final String ID = "urn:thalesgroup:xacml:result-filter:default";
private static final String ID = "urn:ow2:authzforce:xacml:result-filter:default";
@Override
public String getId()
......@@ -209,7 +204,7 @@ public class PDPImpl implements CloseablePDP
};
private final RootPolicyEvaluator rootPolicyProvider;
private final RootPolicyEvaluator rootPolicyEvaluator;
private final DecisionCache decisionCache;
private final RequestFilter reqFilter;
private final IndividualDecisionRequestEvaluator individualReqEvaluator;
......@@ -226,7 +221,8 @@ public class PDPImpl implements CloseablePDP
* XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static expression
* evaluation (out of context), in which case AttributeSelectors/AttributeDesignators are not supported
* @param maxVariableReferenceDepth
* max depth of VariableReference chaining: VariableDefinition -> VariableDefinition ->... ('->' represents a VariableReference)
* max depth of VariableReference chaining: VariableDefinition -> VariableDefinition ->... ('->' represents a VariableReference); strictly
* negative value means no limit
* @param enableXPath
* allow XPath evaluation, i.e. AttributeSelectors and xpathExpressions (experimental, not for production, use with caution)
* @param requestFilterId
......@@ -243,7 +239,8 @@ public class PDPImpl implements CloseablePDP
* policy-by-reference Provider's XML/JAXB configuration, for resolving policies referred to by Policy(Set)IdReference in policies found by root
* policy Provider
* @param maxPolicySetRefDepth
* max allowed PolicySetIdReference chain: PolicySet1 (PolicySetIdRef1) -> PolicySet2 (PolicySetIdRef2) -> ...
* max allowed PolicySetIdReference chain: PolicySet1 (PolicySetIdRef1) -> PolicySet2 (PolicySetIdRef2) -> ...; a strictly negative value means
* no limit
* @param strictAttributeIssuerMatch
* true iff strict Attribute Issuer matching is enabled, i.e. AttributeDesignators without Issuer only match request Attributes without Issuer
* (and same AttributeId, Category...). This mode is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present
......@@ -264,29 +261,21 @@ public class PDPImpl implements CloseablePDP
* {@code jaxbAttributeProviderConfs}, when and before an {@link IllegalArgumentException} is raised
*
*/
public PDPImpl(DatatypeFactoryRegistry attributeFactory, FunctionRegistry functionRegistry, List<AbstractAttributeProvider> jaxbAttributeProviderConfs,
int maxVariableReferenceDepth, boolean enableXPath, CombiningAlgRegistry combiningAlgRegistry, AbstractPolicyProvider jaxbRootPolicyProviderConf,
AbstractPolicyProvider jaxbRefPolicyProviderConf, int maxPolicySetRefDepth, String requestFilterId, boolean strictAttributeIssuerMatch,
DecisionResultFilter decisionResultFilter, AbstractDecisionCache jaxbDecisionCacheConf, EnvironmentProperties environmentProperties)
throws IllegalArgumentException, IOException
public PDPImpl(DatatypeFactoryRegistry attributeFactory, FunctionRegistry functionRegistry, List<AbstractAttributeProvider> jaxbAttributeProviderConfs, int maxVariableReferenceDepth, boolean enableXPath, CombiningAlgRegistry combiningAlgRegistry, AbstractPolicyProvider jaxbRootPolicyProviderConf, AbstractPolicyProvider jaxbRefPolicyProviderConf, int maxPolicySetRefDepth, String requestFilterId, boolean strictAttributeIssuerMatch, DecisionResultFilter decisionResultFilter, AbstractDecisionCache jaxbDecisionCacheConf, EnvironmentProperties environmentProperties) throws IllegalArgumentException, IOException
{
final RequestFilter.Factory requestFilterFactory = requestFilterId == null ? DefaultRequestFilter.LaxFilterFactory.INSTANCE : PdpExtensionLoader
.getExtension(RequestFilter.Factory.class, requestFilterId);
final RequestFilter.Factory requestFilterFactory = requestFilterId == null ? DefaultRequestFilter.LaxFilterFactory.INSTANCE : PdpExtensionLoader.getExtension(RequestFilter.Factory.class, requestFilterId);
final RequestFilter requestFilter = requestFilterFactory.getInstance(attributeFactory, strictAttributeIssuerMatch, enableXPath,
XMLUtils.SAXON_PROCESSOR);
final RequestFilter requestFilter = requestFilterFactory.getInstance(attributeFactory, strictAttributeIssuerMatch, enableXPath, XMLUtils.SAXON_PROCESSOR);
final RootPolicyEvaluator.Base candidateRootPolicyProvider = new RootPolicyEvaluator.Base(attributeFactory, functionRegistry,
jaxbAttributeProviderConfs, maxVariableReferenceDepth, enableXPath, combiningAlgRegistry, jaxbRootPolicyProviderConf,
jaxbRefPolicyProviderConf, maxPolicySetRefDepth, strictAttributeIssuerMatch, environmentProperties);
final RootPolicyEvaluator.Base candidateRootPolicyEvaluator = new RootPolicyEvaluator.Base(attributeFactory, functionRegistry, jaxbAttributeProviderConfs, maxVariableReferenceDepth, enableXPath, combiningAlgRegistry, jaxbRootPolicyProviderConf, jaxbRefPolicyProviderConf, maxPolicySetRefDepth, strictAttributeIssuerMatch, environmentProperties);
// Use static resolution if possible
final RootPolicyEvaluator staticRootPolicyProvider = candidateRootPolicyProvider.toStatic();
if (staticRootPolicyProvider == null)
final RootPolicyEvaluator staticRootPolicyEvaluator = candidateRootPolicyEvaluator.toStatic();
if (staticRootPolicyEvaluator == null)
{
this.rootPolicyProvider = candidateRootPolicyProvider;
this.rootPolicyEvaluator = candidateRootPolicyEvaluator;
} else
{
this.rootPolicyProvider = staticRootPolicyProvider;
this.rootPolicyEvaluator = staticRootPolicyEvaluator;
}
this.reqFilter = requestFilter;
......@@ -297,13 +286,11 @@ public class PDPImpl implements CloseablePDP
this.decisionCache = null;
} else
{
final DecisionCache.Factory<AbstractDecisionCache> responseCacheStoreFactory = PdpExtensionLoader.getJaxbBoundExtension(
DecisionCache.Factory.class, jaxbDecisionCacheConf.getClass());
final DecisionCache.Factory<AbstractDecisionCache> responseCacheStoreFactory = PdpExtensionLoader.getJaxbBoundExtension(DecisionCache.Factory.class, jaxbDecisionCacheConf.getClass());
this.decisionCache = responseCacheStoreFactory.getInstance(jaxbDecisionCacheConf);
}
this.individualReqEvaluator = this.decisionCache == null ? new NonCachingIndividualDecisionRequestEvaluator(rootPolicyProvider)
: new CachingIndividualRequestEvaluator(rootPolicyProvider, this.decisionCache);
this.individualReqEvaluator = this.decisionCache == null