Commit c42844d2 authored by cdanger's avatar cdanger
Browse files

Merge branch 'release/14.0.0'

parents 0037b128 0558c865
......@@ -3,9 +3,27 @@ All notable changes to this project are documented in this file following the [K
## Issue references
- Issues reported on [GitHub](https://github.com/authzforce/core/issues) are referenced in the form of `[GH-N]`, where N is the issue number.
- Issues reported on [OW2's JIRA](https://jira.ow2.org/browse/AUTHZFORCE/) are referenced in the form of `[JIRA-N]`, where N is the issue number.
- Issues reported on [OW2's GitLab](https://gitlab.ow2.org/authzforce/core/issues) are referenced in the form of `[GL-N]`, where N is the issue number.
## 14.0.0
### Changed
- [GH-28]: simplified the PolicyProvider model, i.e. changed the following:
- **PDP configuration format** (XML Schema 'pdp.xsd') v7.0.0 (more info in [migration guide](MIGRATION.md) )
- Replaced 'refPolicyProvider' and 'rootPolicyProvider' XML elements with 'policyProvider' and 'rootPolicyRef'.
- StaticRootPolicyProvider and StaticRefPolicyProvider XML types replaced by one StaticPolicyProvider type.
- **PolicyProvider extension API** (interfaces):
- Upgraded core-pdp-api dependency version: 16.0.0 (more info in [core-pdp-api's changelog](https://github.com/authzforce/core-pdp-api/blob/develop/CHANGELOG.md#1600) ):
- Replaced CloseableRefPolicyProvider and BaseStaticRefPolicyProvider classes with CloseablePolicyProvider and BaseStaticPolicyProvider
- pdp-testutils module's dependency 'jackson-databind' upgraded to v2.9.10 (CVE fix)
### Fixed
- CVE-2019-14439
### Added
- Support for **Multiple Decision Profile when used with XACML/JSON Profile** (JSON input)
## 13.3.1
### Fixed
- CVE affecting Spring v4.3.18: upgraded dependencies to depend on
......@@ -55,7 +73,7 @@ properties and environment variables (enclosed between '${...}') with default va
- authzforce-ce-xacml-json-model: 2.0.0
### Fixed
- Fixed #13: changed pdp-testutils module's dependencies:
- [GH-13]: changed pdp-testutils module's dependencies:
- mongo-java-driver: 2.14.12 -> 3.5.0
- jongo: 1.3.0 -> 1.4.0
......
## Migration from v13.x to v14.x
- Make sure all your custom PolicyProviders implement the new PolicyProvider interfaces, i.e. BaseStaticPolicyProvider or, as fallback option, CloseableStaticPolicyProvider
- Modify the PDP configuration (XML):
- Merge 'rootPolicyProvider' and 'refPolicyprovider' into one 'policyProvider' using the new 'StaticPolicyProvider' type if you were using 'StaticRefPolicyprovider' or 'StaticRootPolicyProvider', else your new custom PolicyProvider types if you were using custom ones.
- Add 'rootPolicyRef' element with policyId of the root policy.
\ No newline at end of file
......@@ -41,16 +41,16 @@ AuthzForce Core may be used in the following ways:
* Optional **strict multivalued attribute parsing**: if enabled, multivalued attributes must be formed by grouping all `AttributeValue` elements in the same Attribute element (instead of duplicate Attribute elements); this does not fully comply with [XACML 3.0 Core specification of Multivalued attributes (§7.3.3)](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047176), but it usually performs better than the default mode since it simplifies the parsing of attribute values in the request.
* Optional **strict attribute Issuer matching**: if enabled, `AttributeDesignators` without Issuer only match request Attributes without Issuer (and same AttributeId, Category...); this option is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present on a AttributeDesignator; but it is the recommended option when all AttributeDesignators have an Issuer (the XACML 3.0 specification (5.29) says: *If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone.*);
* Extensibility points:
* **Attribute Datatypes**: you may extend the PDP engine with custom XACML attribute datatypes;
* **Functions**: you may extend the PDP engine with custom XACML functions;
* **Combining Algorithms**: you may extend the PDP engine with custom XACML policy/rule combining algorithms;
* **Attribute Providers a.k.a. PIPs** (Policy Information Points): you may plug custom attribute providers into the PDP engine to allow it to retrieve attributes from other attribute sources (e.g. remote service) than the input XACML Request during evaluation;
* **Request Preprocessor**: you may customize the processing of XACML Requests before evaluation by the PDP core engine, e.g. used for supporting new XACML Request formats, and/or implementing [XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories](http://docs.oasis-open.org/xacml/3.0/multiple/v1.0/cs02/xacml-3.0-multiple-v1.0-cs02.html#_Toc388943334);
* **Result Postprocessor**: you may customize the processing of XACML Results after evaluation by the PDP engine, e.g. used for supporting new XACML Response formats, and/or implementing [XACML v3.0 Multiple Decision Profile Version 1.0 - Requests for a combined decision](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-cd-03-en.html#_Toc260837890);
* **[Attribute Datatypes](https://github.com/authzforce/core/wiki/XACML-Data-Types)**: you may extend the PDP engine with custom XACML attribute datatypes;
* **[Functions](https://github.com/authzforce/core/wiki/XACML-Functions)**: you may extend the PDP engine with custom XACML functions;
* **[Combining Algorithms](https://github.com/authzforce/core/wiki/XACML-Combining-Algorithms)**: you may extend the PDP engine with custom XACML policy/rule combining algorithms;
* **[Attribute Providers a.k.a. PIPs](https://github.com/authzforce/core/wiki/Attribute-Providers)** (Policy Information Points): you may plug custom attribute providers into the PDP engine to allow it to retrieve attributes from other attribute sources (e.g. remote service) than the input XACML Request during evaluation;
* **[Request Preprocessor](https://github.com/authzforce/core/wiki/XACML-Request-Preprocessors)**: you may customize the processing of XACML Requests before evaluation by the PDP core engine, e.g. used for supporting new XACML Request formats, and/or implementing [XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories](http://docs.oasis-open.org/xacml/3.0/multiple/v1.0/cs02/xacml-3.0-multiple-v1.0-cs02.html#_Toc388943334);
* **[Result Postprocessor](https://github.com/authzforce/core/wiki/XACML-Result-Postprocessors)**: you may customize the processing of XACML Results after evaluation by the PDP engine, e.g. used for supporting new XACML Response formats, and/or implementing [XACML v3.0 Multiple Decision Profile Version 1.0 - Requests for a combined decision](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-cd-03-en.html#_Toc260837890);
* **Root Policy Provider**: you may plug custom policy providers into the PDP engine to allow it to retrieve the root policy from specific sources (e.g. remote service);
* **Policy-by-reference Provider**: you may plug custom policy providers into the PDP engine to allow it to resolve `PolicyIdReference` or `PolicySetIdReference`;
* **[Policy-by-reference Provider](https://github.com/authzforce/core/wiki/Policy-Providers)**: you may plug custom policy providers into the PDP engine to allow it to resolve `PolicyIdReference` or `PolicySetIdReference`;
* **Decision Cache**: you may extend the PDP engine with a custom XACML decision cache, allowing the PDP to skip evaluation and retrieve XACML decisions from cache for recurring XACML Requests;
* Java extension mechanism to switch HashMap/HashSet implementations (e.g. to get different performance results).
* Java [extension mechanism to switch HashMap/HashSet implementations](https://github.com/authzforce/core/wiki/Hashed-Collections) (e.g. to get different performance results).
* PIP (Policy Information Point): AuthzForce provides XACML PIP features in the form of extensions called *Attribute Providers*. More information in the previous list of *Extensibility points*.
......@@ -131,7 +131,7 @@ Then instantiate a PDP engine configuration with method [PdpEngineConfiguration#
```xml
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/policy.xml" />
</pdp>
```
......
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>13.3.1</version>
<version>14.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-cli</artifactId>
......@@ -30,12 +30,12 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
<version>13.3.1</version>
<version>14.0.0</version>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
<version>13.3.1</version>
<version>14.0.0</version>
</dependency>
<dependency>
<groupId>org.testng</groupId>
......@@ -46,7 +46,7 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
<version>13.3.1</version>
<version>14.0.0</version>
<scope>test</scope>
</dependency>
</dependencies>
......
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/IIA001/Policy.xml" />
<pdp
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0"
version="7.0.0">
<policyProvider
id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/IIA001/Policy.xml</policyLocation>
</policyProvider>
<rootPolicyRef>urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy</rootPolicyRef>
<ioProcChain>
<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-json:default-lax</requestPreproc>
<resultPostproc>urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</resultPostproc>
......
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>13.3.1</version>
<version>14.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
......
......@@ -43,8 +43,10 @@ import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.ImmutableDecisionRequest;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.policy.CloseablePolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPatterns;
import org.ow2.authzforce.core.pdp.api.policy.PrimaryPolicyMetadata;
import org.ow2.authzforce.core.pdp.api.policy.RootPolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.Bag;
import org.ow2.authzforce.core.pdp.api.value.Bags;
......@@ -79,26 +81,13 @@ public final class BasePdpEngine implements CloseablePdpEngine
Map<AttributeFqn, AttributeBag<?>> get();
}
private static final StandardEnvironmentAttributeIssuer NULL_STD_ENV_ATTRIBUTE_ISSUER = new StandardEnvironmentAttributeIssuer()
{
private static final StandardEnvironmentAttributeIssuer NULL_STD_ENV_ATTRIBUTE_ISSUER = () -> null;
@Override
public Map<AttributeFqn, AttributeBag<?>> get()
{
return null;
}
};
private static final StandardEnvironmentAttributeIssuer DEFAULT_TZ_BASED_STD_ENV_ATTRIBUTE_ISSUER = new StandardEnvironmentAttributeIssuer()
{
@Override
public Map<AttributeFqn, AttributeBag<?>> get()
{
private static final StandardEnvironmentAttributeIssuer DEFAULT_TZ_BASED_STD_ENV_ATTRIBUTE_ISSUER = () -> {
/*
* Set the standard current date/time attribute according to XACML core spec:
* "This identifier indicates the current time at the context handler. In practice it is the time at which the request context was created." (§B.7). XACML standard (§10.2.5) says: "If
* values for these attributes are not present in the decision request, then their values MUST be supplied by the context handler".
* "This identifier indicates the current time at the context handler. In practice it is the time at which the request context was created." (§B.7). XACML standard (§10.2.5) says: "If values
* for these attributes are not present in the decision request, then their values MUST be supplied by the context handler".
*/
// current datetime in default timezone
final DateTimeValue currentDateTimeValue = new DateTimeValue(new GregorianCalendar());
......@@ -111,7 +100,6 @@ public final class BasePdpEngine implements CloseablePdpEngine
// current time
StandardEnvironmentAttribute.CURRENT_TIME.getFQN(),
Bags.singletonAttributeBag(StandardDatatypes.TIME, TimeValue.getInstance((XMLGregorianCalendar) currentDateTimeValue.getUnderlyingValue().clone()), AttributeSources.PDP));
}
};
private static class NonIssuedLikeIssuedAttributeHandlingRequestBuilder implements DecisionRequestBuilder<ImmutableDecisionRequest>
......@@ -211,15 +199,10 @@ public final class BasePdpEngine implements CloseablePdpEngine
StandardEnvironmentAttribute.CURRENT_TIME.getFQN(),
Bags.emptyAttributeBag(StandardDatatypes.TIME, newReqMissingStdEnvAttrException(StandardEnvironmentAttribute.CURRENT_TIME.getFQN())));
private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_OVERRIDES_ATTRIBUTES_MERGER = new RequestAndPdpIssuedNamedAttributesMerger()
{
@Override
public Map<AttributeFqn, AttributeBag<?>> merge(final Map<AttributeFqn, AttributeBag<?>> pdpIssuedAttributes, final Map<AttributeFqn, AttributeBag<?>> requestAttributes)
{
private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_OVERRIDES_ATTRIBUTES_MERGER = (pdpIssuedAttributes, requestAttributes) -> {
/*
* Request attribute values override PDP issued ones. Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must
* not modify it but clone it before individual decision request processing.
* Request attribute values override PDP issued ones. Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must not
* modify it but clone it before individual decision request processing.
*/
if (pdpIssuedAttributes == null)
{
......@@ -235,20 +218,20 @@ public final class BasePdpEngine implements CloseablePdpEngine
/**
*
* XACML standard (§10.2.5) says: "If values for these [the standard environment attributes, i.e. current-time, current-date, current-dateTime] attributes are not present in the
* decision request, then their values MUST be supplied by the context handler ". In our case, "context handler" means the PDP. In other words, the attribute values come from request
* by default, or from the PDP if (and *only if* in this case) they are not set in the request. More precisely, if any of these standard environment attributes is provided in the
* request, none of the PDP values is used, even if some policy requires one that is missing from the request. Indeed, this is to avoid such case when the decision request specifies at
* least one date/time attribute, e.g. current-time, but not all of them, e.g. not current-dateTime, and the policy requires both the one(s) provided and the one(s) not provided. In
* this case, if the PDP provides its own value(s) for the missing attributes (e.g. current-dateTime), this may cause some inconsistencies since we end up having date/time attributes
* coming from two different sources/environments (current-time and current-dateTime for instance).
* XACML standard (§10.2.5) says: "If values for these [the standard environment attributes, i.e. current-time, current-date, current-dateTime] attributes are not present in the decision
* request, then their values MUST be supplied by the context handler ". In our case, "context handler" means the PDP. In other words, the attribute values come from request by default, or
* from the PDP if (and *only if* in this case) they are not set in the request. More precisely, if any of these standard environment attributes is provided in the request, none of the PDP
* values is used, even if some policy requires one that is missing from the request. Indeed, this is to avoid such case when the decision request specifies at least one date/time
* attribute, e.g. current-time, but not all of them, e.g. not current-dateTime, and the policy requires both the one(s) provided and the one(s) not provided. In this case, if the PDP
* provides its own value(s) for the missing attributes (e.g. current-dateTime), this may cause some inconsistencies since we end up having date/time attributes coming from two different
* sources/environments (current-time and current-dateTime for instance).
*/
if (requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_DATETIME.getFQN()) || requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_DATE.getFQN())
|| requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_TIME.getFQN()))
{
/*
* Request has at least one standard env attribute -> make sure all PDP values are ignored (overridden by STD_ENV_RESET_MAP no matter whether requestAttributes contains all of them
* or not)
* Request has at least one standard env attribute -> make sure all PDP values are ignored (overridden by STD_ENV_RESET_MAP no matter whether requestAttributes contains all of them or
* not)
*/
// mappings in order of increasing priority
return HashCollections.newUpdatableMap(pdpIssuedAttributes, STD_ENV_RESET_MAP, requestAttributes);
......@@ -256,21 +239,14 @@ public final class BasePdpEngine implements CloseablePdpEngine
// mappings in order of increasing priority
return HashCollections.newUpdatableMap(pdpIssuedAttributes, requestAttributes);
}
};
private static final RequestAndPdpIssuedNamedAttributesMerger PDP_OVERRIDES_ATTRIBUTES_MERGER = new RequestAndPdpIssuedNamedAttributesMerger()
{
@Override
public Map<AttributeFqn, AttributeBag<?>> merge(final Map<AttributeFqn, AttributeBag<?>> pdpIssuedAttributes, final Map<AttributeFqn, AttributeBag<?>> requestAttributes)
{
private static final RequestAndPdpIssuedNamedAttributesMerger PDP_OVERRIDES_ATTRIBUTES_MERGER = (pdpIssuedAttributes, requestAttributes) -> {
// PDP issued attribute values override request attribute values
/*
* Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must not modify it but clone it before individual
* decision request processing.
* Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must not modify it but clone it before individual decision
* request processing.
*/
if (pdpIssuedAttributes == null)
{
......@@ -287,21 +263,10 @@ public final class BasePdpEngine implements CloseablePdpEngine
// mappings of pdpIssuedAttributes have priority
return HashCollections.newUpdatableMap(requestAttributes, pdpIssuedAttributes);
}
};
private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_ONLY_ATTRIBUTES_MERGER = new RequestAndPdpIssuedNamedAttributesMerger()
{
@Override
public Map<AttributeFqn, AttributeBag<?>> merge(final Map<AttributeFqn, AttributeBag<?>> pdpIssuedAttributes, final Map<AttributeFqn, AttributeBag<?>> requestAttributes)
{
// PDP values completely ignored
return requestAttributes == null ? null : HashCollections.newUpdatableMap(requestAttributes);
}
};
private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_ONLY_ATTRIBUTES_MERGER = (pdpIssuedAttributes, requestAttributes) -> requestAttributes == null ? null
: HashCollections.newUpdatableMap(requestAttributes);
private final RootPolicyEvaluator rootPolicyEvaluator;
private final RequestAndPdpIssuedNamedAttributesMerger reqAndPdpIssuedAttributesMerger;
......@@ -427,7 +392,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
}
@Override
protected DecisionResult evaluate(DecisionRequest request, StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
protected DecisionResult evaluate(final DecisionRequest request, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
{
assert request != null;
LOGGER.debug("Evaluating Individual Decision Request: {}", request);
......@@ -476,7 +441,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
}
@Override
protected DecisionResult evaluate(DecisionRequest individualDecisionRequest, StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
protected DecisionResult evaluate(final DecisionRequest individualDecisionRequest, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
{
assert individualDecisionRequest != null;
LOGGER.debug("Evaluating Individual Decision Request: {}", individualDecisionRequest);
......@@ -587,7 +552,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
}
@Override
protected DecisionResult evaluate(DecisionRequest individualDecisionRequest, StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
protected DecisionResult evaluate(final DecisionRequest individualDecisionRequest, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
{
assert individualDecisionRequest != null && pdpStdEnvAttributeIssuer != null;
return evaluate(individualDecisionRequest, pdpStdEnvAttributeIssuer.get());
......@@ -626,8 +591,14 @@ public final class BasePdpEngine implements CloseablePdpEngine
*
* @param xacmlExpressionFactory
* XACML Expression parser/factory - mandatory
* @param rootPolicyProvider
* Root Policy Provider - mandatory
* @param policyProvider
* Policy Provider - mandatory
* @param rootPolicyId
* root Policy(Set) ID
* @param rootPolicyElementType
* type of root policy element (XACML Policy or XACML PolicySet)
* @param rootPolicyVersionPatterns
* version pattern to be matched by root policy version
* @param decisionCache
* (optional) decision response cache
* @param strictAttributeIssuerMatch
......@@ -642,12 +613,23 @@ public final class BasePdpEngine implements CloseablePdpEngine
* @throws java.io.IOException
* error closing the root policy Provider when static resolution is to be used
*/
public BasePdpEngine(final ExpressionFactory xacmlExpressionFactory, final RootPolicyProvider rootPolicyProvider, final boolean strictAttributeIssuerMatch,
public BasePdpEngine(final ExpressionFactory xacmlExpressionFactory, final CloseablePolicyProvider<?> policyProvider, final Optional<TopLevelPolicyElementType> rootPolicyElementType,
final String rootPolicyId, final Optional<PolicyVersionPatterns> rootPolicyVersionPatterns, final boolean strictAttributeIssuerMatch,
final StandardEnvironmentAttributeSource stdEnvAttributeSource, final Optional<DecisionCache> decisionCache) throws IllegalArgumentException, IOException
{
final RootPolicyEvaluators.Base candidateRootPolicyEvaluator = new RootPolicyEvaluators.Base(xacmlExpressionFactory, rootPolicyProvider);
final RootPolicyEvaluators.Base candidateRootPolicyEvaluator = new RootPolicyEvaluators.Base(policyProvider, rootPolicyElementType, rootPolicyId, rootPolicyVersionPatterns,
xacmlExpressionFactory);
// Use static resolution if possible
final RootPolicyEvaluator staticRootPolicyEvaluator = candidateRootPolicyEvaluator.toStatic();
final RootPolicyEvaluator staticRootPolicyEvaluator;
try
{
staticRootPolicyEvaluator = candidateRootPolicyEvaluator.toStatic();
}
catch (final IndeterminateEvaluationException e)
{
throw new IllegalArgumentException(
rootPolicyElementType + " '" + rootPolicyId + "' matching version (pattern): " + (rootPolicyVersionPatterns.isPresent() ? rootPolicyVersionPatterns.get() : "latest"), e);
}
if (staticRootPolicyEvaluator == null)
{
this.rootPolicyEvaluator = candidateRootPolicyEvaluator;
......@@ -688,8 +670,8 @@ public final class BasePdpEngine implements CloseablePdpEngine
*/
public BasePdpEngine(final PdpEngineConfiguration configuration) throws IllegalArgumentException, IOException
{
this(configuration.getXacmlExpressionFactory(), configuration.getRootPolicyProvider(), configuration.isStrictAttributeIssuerMatchEnabled(), configuration.getStdEnvAttributeSource(),
configuration.getDecisionCache());
this(configuration.getXacmlExpressionFactory(), configuration.getPolicyProvider(), configuration.getRootPolicyElementType(), configuration.getRootPolicyId(),
configuration.getRootPolicyVersionPatterns(), configuration.isStrictAttributeIssuerMatchEnabled(), configuration.getStdEnvAttributeSource(), configuration.getDecisionCache());
}
@Override
......
......@@ -42,7 +42,7 @@ import com.google.common.collect.ListMultimap;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeDesignatorType;
/**
* AttributeProvider that tries to resolve attributes in current request context first, else delegates to {@link DesignatedAttributeProvider}s.
* AttributeProvider that tries to resolve attributes in current request context first, else delegates to {@link NamedAttributeProvider}s.
*
* @version $Id: $
*/
......@@ -97,7 +97,8 @@ public class ModularAttributeProvider implements AttributeProvider
if (selectedAttributeSupport == null)
{
designatorModsByAttrId = attributeProviderModulesByAttributeId;
} else
}
else
{
final ListMultimap<AttributeFqn, NamedAttributeProvider> mutableModsByAttrIdMap = ArrayListMultimap.create(selectedAttributeSupport.size(), 1);
for (final AttributeDesignatorType requiredAttr : selectedAttributeSupport)
......@@ -206,7 +207,8 @@ public class ModularAttributeProvider implements AttributeProvider
LOGGER.debug("Values of attribute {}, type={} returned by attribute Provider module #{} (cached in context): {}", attributeFqn, datatype, attrProviders, result);
issuedToNonIssuedAttributeCopyMode.process(attributeFqn, result, context);
return result;
} catch (final IndeterminateEvaluationException e)
}
catch (final IndeterminateEvaluationException e)
{
/*
* This error does not necessarily matter, it depends on whether the attribute is required, i.e. MustBePresent=true for AttributeDesignator/Selector So we let
......@@ -248,7 +250,8 @@ public class ModularAttributeProvider implements AttributeProvider
*/
context.putNamedAttributeValueIfAbsent(attributeFqn, result);
return result;
} catch (final UnsupportedOperationException e)
}
catch (final UnsupportedOperationException e)
{
/*
* Should not happen, this is highly unexpected and should be considered a fatal error (it means the AttributeProvider does not respect its contract)
......
......@@ -54,8 +54,9 @@ import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.func.FirstOrderFunction;
import org.ow2.authzforce.core.pdp.api.func.Function;
import org.ow2.authzforce.core.pdp.api.io.XacmlJaxbParsingUtils;
import org.ow2.authzforce.core.pdp.api.policy.CloseableRefPolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.RootPolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.CloseablePolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPatterns;
import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType;
import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory;
import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry;
import org.ow2.authzforce.core.pdp.api.value.Datatype;
......@@ -73,6 +74,7 @@ import org.ow2.authzforce.core.pdp.impl.func.StandardFunction;
import org.ow2.authzforce.core.xmlns.pdp.InOutProcChain;
import org.ow2.authzforce.core.xmlns.pdp.Pdp;
import org.ow2.authzforce.core.xmlns.pdp.StandardEnvironmentAttributeSource;
import org.ow2.authzforce.core.xmlns.pdp.TopLevelPolicyElementRef;
import org.ow2.authzforce.xacml.identifiers.XacmlDatatypeId;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeProvider;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractDecisionCache;
......@@ -95,7 +97,7 @@ public final class PdpEngineConfiguration
private static final IllegalArgumentException ILLEGAL_USE_STD_FUNCTIONS_ARGUMENT_EXCEPTION = new IllegalArgumentException(
"useStandardFunctions = true not allowed if useStandardDatatypes = false");
private static final IllegalArgumentException NULL_ROOTPOLICYPROVIDER_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined rootPolicyProvider");
private static final IllegalArgumentException NULL_POLICYPROVIDER_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined policyProvider");
// the logger we'll use for all messages
private static final Logger LOGGER = LoggerFactory.getLogger(BasePdpEngine.class);
......@@ -132,21 +134,13 @@ public final class PdpEngineConfiguration
return attrProviderModBuilder.getInstance(jaxbConf, envProps);
}
private static <JAXB_CONF extends AbstractPolicyProvider> CloseableRefPolicyProvider newRefPolicyProvider(final JAXB_CONF jaxbConf, final XmlnsFilteringParserFactory xacmlParserFactory,
private static <JAXB_CONF extends AbstractPolicyProvider> CloseablePolicyProvider<?> newPolicyProvider(final JAXB_CONF jaxbConf, final XmlnsFilteringParserFactory xacmlParserFactory,
final int maxPolicySetRefDepth, final ExpressionFactory xacmlExprFactory, final CombiningAlgRegistry combiningAlgRegistry, final EnvironmentProperties envProps)
{
final CloseableRefPolicyProvider.Factory<JAXB_CONF> refPolicyProviderModFactory = PdpExtensions.getRefPolicyProviderFactory((Class<JAXB_CONF>) jaxbConf.getClass());
final CloseablePolicyProvider.Factory<JAXB_CONF> refPolicyProviderModFactory = PdpExtensions.getRefPolicyProviderFactory((Class<JAXB_CONF>) jaxbConf.getClass());
return refPolicyProviderModFactory.getInstance(jaxbConf, xacmlParserFactory, maxPolicySetRefDepth, xacmlExprFactory, combiningAlgRegistry, envProps);
}
private static <JAXB_CONF extends AbstractPolicyProvider> RootPolicyProvider newRootPolicyProvider(final JAXB_CONF jaxbConf, final XmlnsFilteringParserFactory xacmlParserFactory,
final ExpressionFactory xacmlExprFactory, final CombiningAlgRegistry combiningAlgRegistry, final Optional<CloseableRefPolicyProvider> refPolicyProvider,
final EnvironmentProperties envProps)
{
final RootPolicyProvider.Factory<JAXB_CONF> rootPolicyProviderFactory = PdpExtensions.getRootPolicyProviderFactory((Class<JAXB_CONF>) jaxbConf.getClass());
return rootPolicyProviderFactory.getInstance(jaxbConf, xacmlParserFactory, xacmlExprFactory, combiningAlgRegistry, refPolicyProvider, envProps);
}
private static <JAXB_CONF extends AbstractDecisionCache> DecisionCache newDecisionCache(final JAXB_CONF jaxbConf, final AttributeValueFactoryRegistry attValFactories,
final EnvironmentProperties envProps)
{
......@@ -159,7 +153,13 @@ public final class PdpEngineConfiguration
private final ExpressionFactory xacmlExpressionFactory;
private final RootPolicyProvider rootPolicyProvider;
private final CloseablePolicyProvider<?> policyProvider;
private final String rootPolicyId;
private final Optional<TopLevelPolicyElementType> rootPolicyElementType;
private final Optional<PolicyVersionPatterns> rootPolicyVersionPatterns;
private final boolean strictAttributeIssuerMatch;
......@@ -189,12 +189,12 @@ public final class PdpEngineConfiguration
* Check required args
*/
/*
* Root policy provider
* Policy provider
*/
final AbstractPolicyProvider rootPolicyProviderJaxbConf = pdpJaxbConf.getRootPolicyProvider();
final AbstractPolicyProvider rootPolicyProviderJaxbConf = pdpJaxbConf.getPolicyProvider();
if (rootPolicyProviderJaxbConf == null)
{
throw NULL_ROOTPOLICYPROVIDER_ARGUMENT_EXCEPTION;
throw NULL_POLICYPROVIDER_ARGUMENT_EXCEPTION;
}
/*
......@@ -221,11 +221,13 @@ public final class PdpEngineConfiguration
if (datatypeExtensionIdentifiers.isEmpty())
{
attValFactoryRegistry = stdRegistry;
} else
}
else
{
attValFactoryRegistry = new ImmutableAttributeValueFactoryRegistry(HashCollections.newImmutableSet(stdRegistry.getExtensions(), datatypeExtensions));
}
} else
}
else
{
attValFactoryRegistry = new ImmutableAttributeValueFactoryRegistry(datatypeExtensions);
}
......@@ -255,7 +257,8 @@ public final class PdpEngineConfiguration
try
{
maxVarRefDepth = bigMaxVarRefDepth == null ? -1 : bigMaxVarRefDepth.intValueExact();
} catch (final ArithmeticException e)
}
catch (final ArithmeticException e)
{
throw new IllegalArgumentException("Invalid maxVariableRefDepth: " + bigMaxVarRefDepth, e);
}
......@@ -292,12 +295,14 @@ public final class PdpEngineConfiguration
if (nonGenericFunctionExtensionIdentifiers.isEmpty())
{
functionRegistry = stdRegistry;
} else
}
else
{
functionRegistry = new ImmutableFunctionRegistry(HashCollections.newImmutableSet(stdRegistry.getNonGenericFunctions(), nonGenericFunctionExtensions),
stdRegistry.getGenericFunctionFactories());
}
} else
}
else
{
functionRegistry = new ImmutableFunctionRegistry(nonGenericFunctionExtensions, null);
}
......@@ -331,11 +336,13 @@ public final class PdpEngineConfiguration
if (algExtensions.isEmpty())
{
combiningAlgRegistry = StandardCombiningAlgorithm.REGISTRY;
} else
}
else
{
combiningAlgRegistry = new ImmutableCombiningAlgRegistry(HashCollections.newImmutableSet(StandardCombiningAlgorithm.REGISTRY.getExtensions(), algExtensions));
}
} else
}
else
{
combiningAlgRegistry = new ImmutableCombiningAlgRegistry(algExtensions);
}
......@@ -348,7 +355,8 @@ public final class PdpEngineConfiguration
try
{
maxPolicySetRefDepth = bigMaxPolicyRefDepth == null ? -1 : bigMaxPolicyRefDepth.intValueExact();
} catch (final ArithmeticException e)
}
catch (final ArithmeticException e)
{
throw new IllegalArgumentException("Invalid maxPolicyRefDepth: " + bigMaxPolicyRefDepth, e);
}
......@@ -359,29 +367,29 @@ public final class PdpEngineConfiguration
xacmlExpressionFactory = new DepthLimitingExpressionFactory(attValFactoryRegistry, functionRegistry, attProviderFactories, maxVarRefDepth, enableXPath, strictAttributeIssuerMatch);
/*
* Policy Reference processing - Policy-by-reference Provider
* Policy Provider