Merge branch 'release/20.1.0'

bf601fb4 · cdanger · 887c0208 · 688ccef6 · bf601fb4 · bf601fb4
Commit bf601fb4 authored Mar 27, 2022 by cdanger
--- a/ADOPTERS.md
+++ b/ADOPTERS.md
@@ -6,6 +6,8 @@
 * [Thales](https://www.thalesgroup.com)
 * [Secure Dimensions GmbH](https://github.com/securedimensions/authzforce-geoxacml-basic)
 * [FABRIC](https://whatisfabric.net/)
-* [DRIVER+](http://driver-project.eu/)
-* [Sealed GRID](https://www.sgrid.eu)
+* EU-funded research and innovation projects
+  * [DRIVER+](http://driver-project.eu/)
+  * [Sealed GRID](https://www.sgrid.eu)
+  * [COG-LO](http://www.cog-lo.eu/)

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,19 @@ All notable changes to this project are documented in this file following the [K
 - Issues reported on [OW2's GitLab](https://gitlab.ow2.org/authzforce/core/issues) are referenced in the form of `[GL-N]`, where N is the issue number.


+## 21.1.0
+### Fixed
+- Fix CVE-2020-36518 affecting jackson dependency
+
+### Changed
+- Upgrade authzforce-ce-core-pdp-api to 21.2.0
+  
+  - New `XMLUtils.SAXBasedXmlnsFilteringParser` class constructor parameter - XML namespace prefix-to-URI mappings - to help fix the issue authzforce/server#66 .
+
+### Added
+- New `PdpEngineConfiguration` class constructor parameter - XML namespace prefix-to-URI mappings - to help fix the issue authzforce/server#66 .
+
+
 ## 20.0.0
 ### Added
 - New feature: XPath variables in AttributeSelectors' and `xPathExpression` `AttributeValues`s' XPath expressions can now be defined by XACML VariableDefinitions (variable name used as XACML VariableId), which means XACML Variables can be used as XPath variables there.
@@ -359,7 +372,7 @@ XACML 3.0, and adapting to the PDP engine API; also provides automatic conversio
  - Aded BaseStaticRefPolicyProviderModule class as convenient base class for implementing static Policy Provider (StaticRefPolicyProviderModule) implementations

 ### Added
- [PolicyProvider implementation](pdp-testutils/src/main/java/org/ow2/authzforce/core/pdp/testutil/ext/MongoDBRefPolicyProviderModule.java) for testing and documentation purposes, using MongoDB as policy database system and Jongo as client library, with [JUnit test class](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/MongoDBRefPolicyProviderModuleTest.java) showing how to use it.
+- [PolicyProvider implementation](pdp-testutils/src/main/java/org/ow2/authzforce/core/pdp/testutil/ext/MongoDbPolicyProvider.java) for testing and documentation purposes, using MongoDB as policy database system and Jongo as client library, with [JUnit test class](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/MongoDbPolicyProviderTest.java) showing how to use it.


 ## 8.0.0
@@ -580,7 +593,7 @@ XACML 3.0, and adapting to the PDP engine API; also provides automatic conversio

 ### Fixed 
 - Issues reported by PMD and findbugs
- Fixed issues in [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, see [README](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct\README.md).
+- Fixed issues in [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, see [README](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/README.md).
 - In logical `OR`, `AND` and `N-OF` functions, an Indeterminate argument results in Indeterminate result. 
  1. FIX for OR function: If at least one True argument, return True regardless of Indeterminate arguments; else (no True) if there is at least one Indeterminate, return Indeterminate, return Indeterminate; else (no True/Indeterminate -> all false) return false
  1. FIX for AND function: If at least one False argument, return False regardless of Indeterminate arguments; else (no False) if there is at least one Indeterminate, return Indeterminate, return Indeterminate; else (no False/Indeterminate -> all true) return true

--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ AuthzForce Core may be used in the following ways:
 ## Limitations

 ### XACML 2.0 support and migrating to XACML 3.0
-As mentioned in the Features section, we do not support XACML 2.0 but only XACML 3.0, and we strongly recommend you migrate to XACML 3.0 as XACML 2.0 has become obsolete. In order to help you in the migration from XACML 2.0 to 3.0, we provide a way to migrate all your XACML 2.0 policies to XACML 3.0 automatically by applying the XSLT stylesheets in the [migration](migration folder). First download the stylesheets `xacml2To3Policy.xsl` and `xacml3-policy-c14n.xsl` from that folder, then apply them to your XACML 2.0 policy files using any XSLT engine supporting XSLT 2.0. For example, using [SAXON-HE 9.x or later](https://www.saxonica.com/download/java.xml), you may do it as follows:
+As mentioned in the Features section, we do not support XACML 2.0 but only XACML 3.0, and we strongly recommend you migrate to XACML 3.0 as XACML 2.0 has become obsolete. In order to help you in the migration from XACML 2.0 to 3.0, we provide a way to migrate all your XACML 2.0 policies to XACML 3.0 automatically by applying the XSLT stylesheets in the [migration folder](migration). First download the stylesheets `xacml2To3Policy.xsl` and `xacml3-policy-c14n.xsl` from that folder, then apply them to your XACML 2.0 policy files using any XSLT engine supporting XSLT 2.0. For example, using [SAXON-HE 9.x or later](https://www.saxonica.com/download/java.xml), you may do it as follows:

 ```shell
 $ XACML_20_POLICY_FILE="policy.xml"
@@ -116,6 +116,12 @@ $ ./authzforce-ce-core-pdp-cli-14.0.0.jar -t XACML_JSON pdp.xml IIA001/Request.j

 For more info, run it without parameters, and you'll get detailed information on usage.

+For **troubleshooting**, you can increase the log level of the logger(s) in the Logback configuration file `logback.xml` to `INFO` or `DEBUG`, esp. the logger named `org.ow2.authzforce`. Then run the CLI as follows:
+
+```shell
+$ java -jar -Dlogback.configurationFile=./logback.xml authzforce-ce-core-pdp-cli-14.0.0.jar pdp.xml IIA001/Request.xml
+```
+
 #### Java API
 You can either build AuthzForce PDP library from the source code after cloning this git repository, or use the latest release from Maven Central with this information:
 * groupId: `org.ow2.authzforce`;
@@ -290,6 +296,8 @@ Same example but without AuthzForce optimizations:
 $ java -jar Saxon-HE-10.3.jar authzforce_optimized=false -xsl:spif-utils/spif2xacml-for-xpath-2.0.xsl -s:spif-utils/ACME-SPIF-example.xml -o:/tmp/ACME-XACML-policy.xml
 ```

+In both cases, **the generated XACML policy makes use of `AttributeSelectors`**, so make sure your XACML engine supports those. In the case of AuthzForce, you need to set `xPathEnabled="true"` in the PDP configuration (`pdp.xml`) to enable support for `AttributeSelectors`, like in the [XacmlVariableUsedAsXPathVariable test](pdp-testutils/src/test/resources/custom/XacmlVariableUsedAsXPathVariable).
+
 ## Support

 You should use [AuthzForce users' mailing list](https://mail.ow2.org/wws/info/authzforce-users) as first contact for any communication about AuthzForce: question, feature request, notification, potential issue (unconfirmed), etc.

--- a/pdp-cli/pom.xml
+++ b/pdp-cli/pom.xml
@@ -3,7 +3,7 @@
   <parent>
      <groupId>org.ow2.authzforce</groupId>
      <artifactId>authzforce-ce-core</artifactId>
-      <version>20.0.0</version>
+      <version>20.1.0</version>
      <relativePath>../pom.xml</relativePath>
   </parent>
   <artifactId>authzforce-ce-core-pdp-cli</artifactId>
@@ -30,12 +30,12 @@
      <dependency>
         <groupId>org.ow2.authzforce</groupId>
         <artifactId>authzforce-ce-core-pdp-engine</artifactId>
-         <version>20.0.0</version>
+         <version>20.1.0</version>
      </dependency>
      <dependency>
         <groupId>org.ow2.authzforce</groupId>
         <artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
-         <version>20.0.0</version>
+         <version>20.1.0</version>
      </dependency>
      <dependency>
         <groupId>org.testng</groupId>
@@ -49,7 +49,7 @@
      <dependency>
         <groupId>org.ow2.authzforce</groupId>
         <artifactId>authzforce-ce-core-pdp-testutils</artifactId>
-         <version>20.0.0</version>
+         <version>20.1.0</version>
         <scope>test</scope>
      </dependency>
   </dependencies>

--- a/pdp-engine/pom.xml
+++ b/pdp-engine/pom.xml
@@ -3,7 +3,7 @@
    <parent>
        <groupId>org.ow2.authzforce</groupId>
        <artifactId>authzforce-ce-core</artifactId>
-        <version>20.0.0</version>
+        <version>20.1.0</version>
        <relativePath>../pom.xml</relativePath>
    </parent>
    <artifactId>authzforce-ce-core-pdp-engine</artifactId>

--- a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpEngineConfiguration.java
+++ b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpEngineConfiguration.java
@@ -39,6 +39,7 @@ import org.ow2.authzforce.core.xmlns.pdp.InOutProcChain;
 import org.ow2.authzforce.core.xmlns.pdp.Pdp;
 import org.ow2.authzforce.core.xmlns.pdp.StdEnvAttributeProviderDescriptor;
 import org.ow2.authzforce.core.xmlns.pdp.TopLevelPolicyElementRef;
+import org.ow2.authzforce.xacml.Xacml3JaxbHelper;
 import org.ow2.authzforce.xacml.identifiers.XacmlDatatypeId;
 import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeProvider;
 import org.ow2.authzforce.xmlns.pdp.ext.AbstractDecisionCache;
@@ -48,6 +49,7 @@ import org.slf4j.LoggerFactory;
 import org.springframework.util.ResourceUtils;

 import javax.xml.bind.JAXBException;
+import javax.xml.bind.Unmarshaller;
 import javax.xml.transform.Source;
 import javax.xml.transform.stream.StreamSource;
 import java.io.Closeable;
@@ -214,6 +216,21 @@ public final class PdpEngineConfiguration

 	}

+	private static final class XmlnsFilteringParserFactoryWithDefaultXmlnsContext implements XmlnsFilteringParserFactory {
+
+		private final ImmutableMap<String, String> defaultXmlnsPrefixToUriMap;
+		private XmlnsFilteringParserFactoryWithDefaultXmlnsContext(final Map<String, String> defaultXmlnsPrefixToUriMap) {
+			this.defaultXmlnsPrefixToUriMap = ImmutableMap.copyOf(defaultXmlnsPrefixToUriMap);
+		}
+
+		@Override
+		public XmlUtils.XmlnsFilteringParser getInstance() throws JAXBException
+		{
+			final Unmarshaller unmarshaller = Xacml3JaxbHelper.createXacml3Unmarshaller();
+			return new XmlUtils.SAXBasedXmlnsFilteringParser(unmarshaller, defaultXmlnsPrefixToUriMap);
+		}
+	}
+
 	private static final IllegalArgumentException ILLEGAL_ROOT_POLICY_REF_CONFIG_EXCEPTION = new IllegalArgumentException(
 	        "Configuration parameter 'rootPolicyRef' is undefined and 'policyProvider' does not provide any candidate root policy. Please define 'rootPolicyRef' parameter or modify the Policy Provider to return a candidate root policy.");

@@ -304,12 +321,13 @@ public final class PdpEngineConfiguration
 	 *            (JAXB-bound) PDP configuration
 	 * @param envProps
 	 *            PDP configuration environment properties (e.g. PARENT_DIR)
+	 * @param xpathNamespaceContexts XPath namespace prefix-to-URI mappings to be used for namespace-aware evaluation of XPath expressions, e.g. AttributeSelectors' Paths. Empty if none or if XPath support is disabled by configuration.
 	 * @throws java.lang.IllegalArgumentException
 	 *             invalid PDP configuration
 	 * @throws java.io.IOException
 	 *             if any error occurred closing already created {@link Closeable} modules (policy Providers, attribute Providers, decision cache)
 	 */
-	public PdpEngineConfiguration(final Pdp pdpJaxbConf, final EnvironmentProperties envProps) throws IllegalArgumentException, IOException
+	public PdpEngineConfiguration(final Pdp pdpJaxbConf, final EnvironmentProperties envProps, final Map<String, String> xpathNamespaceContexts) throws IllegalArgumentException, IOException
 	{
 		/*
 		 * Enable support for XPath expressions, XPath functions, etc.
@@ -434,7 +452,7 @@ public final class PdpEngineConfiguration
 		/*
 		 * XACML element (Policies, etc.) parser factory
 		 */
-		final XmlnsFilteringParserFactory xacmlParserFactory = XacmlJaxbParsingUtils.getXacmlParserFactory(enableXPath);
+		final XmlnsFilteringParserFactory xacmlParserFactory = enableXPath && (xpathNamespaceContexts != null && !xpathNamespaceContexts.isEmpty())? new XmlnsFilteringParserFactoryWithDefaultXmlnsContext(xpathNamespaceContexts): XacmlJaxbParsingUtils.getXacmlParserFactory(enableXPath);

 		/*
 		 * Strict Attribute Issuer match
@@ -632,6 +650,23 @@ public final class PdpEngineConfiguration

 	}

+	/**
+	 * Constructs configuration from PDP XML-schema-derived JAXB model (usually 'unmarshaled' from XML configuration file)
+	 *
+	 * @param pdpJaxbConf
+	 *            (JAXB-bound) PDP configuration
+	 * @param envProps
+	 *            PDP configuration environment properties (e.g. PARENT_DIR)
+	 * @throws java.lang.IllegalArgumentException
+	 *             invalid PDP configuration
+	 * @throws java.io.IOException
+	 *             if any error occurred closing already created {@link Closeable} modules (policy Providers, attribute Providers, decision cache)
+	 */
+	public PdpEngineConfiguration(final Pdp pdpJaxbConf, final EnvironmentProperties envProps) throws IllegalArgumentException, IOException
+	{
+		this(pdpJaxbConf, envProps, Map.of());
+	}
+
 	private static PdpEngineConfiguration getInstance(final Source confXmlSrc, final PdpModelHandler modelHandler, final EnvironmentProperties envProps) throws IOException, IllegalArgumentException
 	{
 		assert confXmlSrc != null && modelHandler != null;

--- a/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/policy/PolicyEvaluators.java
+++ b/pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/policy/PolicyEvaluators.java
@@ -1829,7 +1829,7 @@ public final class PolicyEvaluators
        private PolicySetElementEvaluatorFactory(final PrimaryPolicyMetadata policyMetadata, final ExpressionFactory expressionFactory, final CombiningAlgRegistry combiningAlgorithmRegistry, final Optional<DefaultsType> policyDefaults, final Optional<XPathCompilerProxy> parentDefaultXPathCompiler,
                                                 final Map<String, String> namespacePrefixToUriMap)
        {
-            assert policyMetadata != null && combiningAlgorithmRegistry != null;
+            assert policyMetadata != null && combiningAlgorithmRegistry != null && expressionFactory != null;
            this.policyMetadata = policyMetadata;
            this.expressionFactory = expressionFactory;
            this.combiningAlgorithmRegistry = combiningAlgorithmRegistry;

--- a/pdp-io-xacml-json/pom.xml
+++ b/pdp-io-xacml-json/pom.xml
@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>org.ow2.authzforce</groupId>
 		<artifactId>authzforce-ce-core</artifactId>
-		<version>20.0.0</version>
+		<version>20.1.0</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 	<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>

--- a/pdp-testutils/pom.xml
+++ b/pdp-testutils/pom.xml
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
 		<version>8.2.0</version>
 	</parent>
 	<artifactId>authzforce-ce-core</artifactId>
-	<version>20.0.0</version>
+	<version>20.1.0</version>
 	<packaging>pom</packaging>
 	<name>${project.groupId}:${project.artifactId}</name>
 	<description>AuthzForce - XACML-compliant Core PDP Engine and associated test modules</description>
@@ -33,7 +33,7 @@
 			<dependency>
 				<groupId>org.ow2.authzforce</groupId>
 				<artifactId>authzforce-ce-core-pdp-api</artifactId>
-				<version>21.1.1</version>
+				<version>21.2.0</version>
 			</dependency>
 			<!-- /AuthzForce dependencies -->
 			<!-- Test dependencies -->