@@ -6,6 +6,16 @@ All notable changes to this project are documented in this file following the [K
- Issues reported on [OW2's JIRA](https://jira.ow2.org/browse/AUTHZFORCE/) are referenced in the form of `[JIRA-N]`, where N is the issue number.
- Issues reported on [OW2's GitLab](https://gitlab.ow2.org/authzforce/core/issues) are referenced in the form of `[GL-N]`, where N is the issue number.
## 13.2.0
### Changed
- Maven dependency versions:
-`authzforce-ce-core-pdp-api`: 15.2.0 (change in `ExpressionFactory` interface: new method `getVariableExpression(variableId)`)
- Policy / `VariableDefinition` evaluation: a XACML Variable expressions is now evaluated and the Variable assigned in the EvaluationContext where the `VariableDefinition` is defined (as opposed to previous behavior which consisted in lazy evaluation, ie only when used in a corresponding `VariableReference`), making the Variable's value available not only to `VariableReference` but also PDP extensions such as Attribute Providers, even if no corresponding `VariableReference` occurs in the policy)
-`Time-in-range` function optimized (removed useless code)
-`GenericAttributeProviderBasedAttributeDesignatorExpression` class moved to dependency authzforce-ce-core-pdp-api
@@ -171,6 +172,9 @@ public final class DepthLimitingExpressionFactory implements ExpressionFactory
*
* Evaluates the referenced expression using the given context, and either returns an error or a resulting value. If this doesn't reference an evaluatable expression (eg, a single Function)
* then this will throw an exception.
* <p>
* The policy evaluator should call this when starting the evaluation of the policy where the VariableDefinition occurs, then cache the value in the evaluation context with
@@ -233,6 +237,9 @@ public final class DepthLimitingExpressionFactory implements ExpressionFactory
*
* Evaluates the referenced expression using the given context, and either returns an error or a resulting value. If this doesn't reference an evaluatable expression (eg, a single Function)
* then this will throw an exception.
* <p>
* The policy evaluator should call this when starting the evaluation of the policy where the VariableDefinition occurs, then cache the value in the evaluation context with
+" is not supported (at least) as standalone Expression: either a generic higher-order function supported only as Apply FunctionId, or function completely unknown.");
* AttributeDesignator evaluator initialized with and using an {@link AttributeProvider} to retrieve the attribute value not only from the request but also possibly from extra Attribute Provider
* modules (so-called XACML PIPs) (PDP extensions)
*
* @param <AV>
* AttributeDesignator evaluation result value's primitive datatype
this.missingAttributeForUnknownReasonException=newIndeterminateEvaluationException(missingAttributeMessage+" for unknown reason",XacmlStatusCode.MISSING_ATTRIBUTE.value());
"Missing Attributes/Attribute for evaluation of AttributeDesignator '"+this.attrGUID+"' because request context undefined",XacmlStatusCode.MISSING_ATTRIBUTE.value());
}
@Override
publicAttributeFqngetAttributeFQN()
{
returnthis.attrGUID;
}
@Override
publicbooleanisNonEmptyBagRequired()
{
returnthis.mustBePresent;
}
/**
* {@inheritDoc}
*
* Evaluates the pre-assigned meta-data against the given context, trying to find some matching values.
* if we got here, it means that the bag wasn't empty, or bag was empty AND mustBePresent was false (so validate() succeeded), so we just return the result
* Evaluates the time-in-range function, which takes three <code>TimeAttributeValue</code> values. This function return true if the first value falls between the second and third values (ie.,
* on or after the second time and on or before the third time). If no time zone is specified for the second and/or third time value, then the timezone from the first time value is used. This
...
...
@@ -114,12 +102,9 @@ final class TimeRangeComparisonFunction extends SingleParameterTypedFirstOrderFu
}
/*
* Use start time as reference for the day in time comparisons, so set the timeChecked day to the one of the start time
*/
setSameDate(calCheckedWhetherInRange,startCal);
/*
* Now we date does not matter in calendar comparison, we only compare times of the day so ignoring the date, the checked time of the day might be before the lower time bound but still be
* in range if considered this is the time on the next day. In this case, startCal is on day N, and calCheckedWhetherInRange on day N+1.
* Reminder: year/month/day of underlying Calendars in TimeValues are all set to DatatypeConstants.FIELD_UNDEFINED. So the date does not matter in calendar comparison, we only compare
* times of the day so ignoring the date, the checked time of the day might be before the lower time bound but still be in range if considered this is the time on the next day. In this
* case, startCal is on day N, and calCheckedWhetherInRange on day N+1.
*/
/*
* Boolean below says whether the checked time is strictly after the start time if considered on the *same day*, i.e. in terms of time of day.
...
...
@@ -127,7 +112,7 @@ final class TimeRangeComparisonFunction extends SingleParameterTypedFirstOrderFu
* start time of the day > end time of the day, for instance 02:00:00 > 01:00:00 so we consider the end time (01:00:00) on the next day (later than the second argument - end time - by
* less than 24h, the spec says). So we interpret the time interval as the date interval [startTime on day N, endTime on day N+1]. If checked time of day < start time of day (compared
* on the same day), then checked time can only be on day after to be in range
...
...
@@ -135,14 +120,9 @@ final class TimeRangeComparisonFunction extends SingleParameterTypedFirstOrderFu
if(isCheckedDayTimeStrictlyBeforeStartDayTime)
{
/*
* time checked is strictly before start time if considered on the same day, so not in range unless considered on day N+1 So let's compared with end time after considering them on
* the same day
* Time checked is strictly before start time. If considered on the same day, it is not in range. Else considered on day N+1, ie same day as end time. So let's compare with end
* time. Time checked is in range if and only if before or equals end time (on day N+1), i.e. not strictly after
* Policy(Set) evaluation which option to skip Target evaluation. The option is to be used by Only-one-applicable algorithm with value 'true', after calling
* Policy(Set) evaluation with option to skip Target evaluation. The option is to be used by Only-one-applicable algorithm with value 'true', after calling
* {@link TopLevelPolicyElementEvaluator#isApplicableByTarget(EvaluationContext)} in particular.
*
* @param context
...
...
@@ -563,9 +575,27 @@ public final class PolicyEvaluators
}
// evaluate with combining algorithm
/*
* But first compute the variables that maybe used in this scope
*/
/*
* Make the value of local variables available in this scope. Note that not only Apply expressions may use variables but also PDP extensions such as Attribute/Policy Providers
* possibly.
*/
try
{
assignVariables(context);
}
catch(finalIndeterminateEvaluationExceptione)
{
LOGGER.error("{} -> Indeterminate (failed to evaluate one of the local Variables defined in this policy))",this);
@@ -602,6 +632,20 @@ public final class PolicyEvaluators
}
// evaluate with combining algorithm
/*
* First make the value of local variables available in this scope. Note that not only Apply expressions may use variables but also PDP extensions such as Attribute/Policy
* Providers possibly.
*/
try
{
assignVariables(context);
}
catch(finalIndeterminateEvaluationExceptione)
{
LOGGER.error("{} -> Indeterminate (failed to evaluate one of the local Variables defined in this policy))",this);