Commit c837d1d7 authored by cdanger's avatar cdanger
Browse files

Merge branch 'GH-38' into develop

Conflicts:
	pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/policy/CoreRefPolicyProvider.java
	pdp-io-xacml-json/src/test/java/org/ow2/authzforce/core/pdp/io/xacml/json/test/JsonProfileConformanceV3Test.java
	pom.xml
parents 802b390e aa856904
...@@ -131,7 +131,7 @@ Then instantiate a PDP engine configuration with method [PdpEngineConfiguration# ...@@ -131,7 +131,7 @@ Then instantiate a PDP engine configuration with method [PdpEngineConfiguration#
```xml ```xml
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0"> <pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/policy.xml" /> <rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/policy.xml" />
</pdp> </pdp>
``` ```
......
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0"> <pdp
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/IIA001/Policy.xml" /> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
<ioProcChain> xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0"
<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-json:default-lax</requestPreproc> version="7.0.0">
<resultPostproc>urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</resultPostproc> <policyProvider
</ioProcChain> id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/IIA001/Policy.xml</policyLocation>
</policyProvider>
<rootPolicyRef>urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy</rootPolicyRef>
<ioProcChain>
<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-json:default-lax</requestPreproc>
<resultPostproc>urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</resultPostproc>
</ioProcChain>
</pdp> </pdp>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <project
xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<parent> <parent>
<groupId>org.ow2.authzforce</groupId> <groupId>org.ow2.authzforce</groupId>
......
...@@ -43,8 +43,10 @@ import org.ow2.authzforce.core.pdp.api.HashCollections; ...@@ -43,8 +43,10 @@ import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.ImmutableDecisionRequest; import org.ow2.authzforce.core.pdp.api.ImmutableDecisionRequest;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException; import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory; import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.policy.CloseablePolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPatterns;
import org.ow2.authzforce.core.pdp.api.policy.PrimaryPolicyMetadata; import org.ow2.authzforce.core.pdp.api.policy.PrimaryPolicyMetadata;
import org.ow2.authzforce.core.pdp.api.policy.RootPolicyProvider; import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag; import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.Bag; import org.ow2.authzforce.core.pdp.api.value.Bag;
import org.ow2.authzforce.core.pdp.api.value.Bags; import org.ow2.authzforce.core.pdp.api.value.Bags;
...@@ -79,39 +81,25 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -79,39 +81,25 @@ public final class BasePdpEngine implements CloseablePdpEngine
Map<AttributeFqn, AttributeBag<?>> get(); Map<AttributeFqn, AttributeBag<?>> get();
} }
private static final StandardEnvironmentAttributeIssuer NULL_STD_ENV_ATTRIBUTE_ISSUER = new StandardEnvironmentAttributeIssuer() private static final StandardEnvironmentAttributeIssuer NULL_STD_ENV_ATTRIBUTE_ISSUER = () -> null;
{
@Override
public Map<AttributeFqn, AttributeBag<?>> get()
{
return null;
}
};
private static final StandardEnvironmentAttributeIssuer DEFAULT_TZ_BASED_STD_ENV_ATTRIBUTE_ISSUER = new StandardEnvironmentAttributeIssuer()
{
@Override private static final StandardEnvironmentAttributeIssuer DEFAULT_TZ_BASED_STD_ENV_ATTRIBUTE_ISSUER = () -> {
public Map<AttributeFqn, AttributeBag<?>> get() /*
{ * Set the standard current date/time attribute according to XACML core spec:
/* * "This identifier indicates the current time at the context handler. In practice it is the time at which the request context was created." (§B.7). XACML standard (§10.2.5) says: "If values
* Set the standard current date/time attribute according to XACML core spec: * for these attributes are not present in the decision request, then their values MUST be supplied by the context handler".
* "This identifier indicates the current time at the context handler. In practice it is the time at which the request context was created." (§B.7). XACML standard (§10.2.5) says: "If */
* values for these attributes are not present in the decision request, then their values MUST be supplied by the context handler". // current datetime in default timezone
*/ final DateTimeValue currentDateTimeValue = new DateTimeValue(new GregorianCalendar());
// current datetime in default timezone return HashCollections.<AttributeFqn, AttributeBag<?>>newImmutableMap(
final DateTimeValue currentDateTimeValue = new DateTimeValue(new GregorianCalendar()); // current date-time
return HashCollections.<AttributeFqn, AttributeBag<?>>newImmutableMap( StandardEnvironmentAttribute.CURRENT_DATETIME.getFQN(), Bags.singletonAttributeBag(StandardDatatypes.DATETIME, currentDateTimeValue, AttributeSources.PDP),
// current date-time // current date
StandardEnvironmentAttribute.CURRENT_DATETIME.getFQN(), Bags.singletonAttributeBag(StandardDatatypes.DATETIME, currentDateTimeValue, AttributeSources.PDP), StandardEnvironmentAttribute.CURRENT_DATE.getFQN(),
// current date Bags.singletonAttributeBag(StandardDatatypes.DATE, DateValue.getInstance((XMLGregorianCalendar) currentDateTimeValue.getUnderlyingValue().clone()), AttributeSources.PDP),
StandardEnvironmentAttribute.CURRENT_DATE.getFQN(), // current time
Bags.singletonAttributeBag(StandardDatatypes.DATE, DateValue.getInstance((XMLGregorianCalendar) currentDateTimeValue.getUnderlyingValue().clone()), AttributeSources.PDP), StandardEnvironmentAttribute.CURRENT_TIME.getFQN(),
// current time Bags.singletonAttributeBag(StandardDatatypes.TIME, TimeValue.getInstance((XMLGregorianCalendar) currentDateTimeValue.getUnderlyingValue().clone()), AttributeSources.PDP));
StandardEnvironmentAttribute.CURRENT_TIME.getFQN(),
Bags.singletonAttributeBag(StandardDatatypes.TIME, TimeValue.getInstance((XMLGregorianCalendar) currentDateTimeValue.getUnderlyingValue().clone()), AttributeSources.PDP));
}
}; };
private static class NonIssuedLikeIssuedAttributeHandlingRequestBuilder implements DecisionRequestBuilder<ImmutableDecisionRequest> private static class NonIssuedLikeIssuedAttributeHandlingRequestBuilder implements DecisionRequestBuilder<ImmutableDecisionRequest>
...@@ -198,111 +186,88 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -198,111 +186,88 @@ public final class BasePdpEngine implements CloseablePdpEngine
private static final IndeterminateEvaluationException newReqMissingStdEnvAttrException(final AttributeFqn attrGUID) private static final IndeterminateEvaluationException newReqMissingStdEnvAttrException(final AttributeFqn attrGUID)
{ {
return new IndeterminateEvaluationException( return new IndeterminateEvaluationException(
"The standard environment attribute ( " + attrGUID "The standard environment attribute ( " + attrGUID
+ " ) is not present in the REQUEST although at least one of the others is! (PDP standardEnvironmentAttributeSource = REQUEST_ELSE_PDP.)", + " ) is not present in the REQUEST although at least one of the others is! (PDP standardEnvironmentAttributeSource = REQUEST_ELSE_PDP.)",
XacmlStatusCode.MISSING_ATTRIBUTE.value()); XacmlStatusCode.MISSING_ATTRIBUTE.value());
} }
private static final Map<AttributeFqn, AttributeBag<?>> STD_ENV_RESET_MAP = HashCollections.<AttributeFqn, AttributeBag<?>>newImmutableMap( private static final Map<AttributeFqn, AttributeBag<?>> STD_ENV_RESET_MAP = HashCollections.<AttributeFqn, AttributeBag<?>>newImmutableMap(
StandardEnvironmentAttribute.CURRENT_DATETIME.getFQN(), StandardEnvironmentAttribute.CURRENT_DATETIME.getFQN(),
Bags.emptyAttributeBag(StandardDatatypes.DATETIME, newReqMissingStdEnvAttrException(StandardEnvironmentAttribute.CURRENT_DATETIME.getFQN())), Bags.emptyAttributeBag(StandardDatatypes.DATETIME, newReqMissingStdEnvAttrException(StandardEnvironmentAttribute.CURRENT_DATETIME.getFQN())),
StandardEnvironmentAttribute.CURRENT_DATE.getFQN(), StandardEnvironmentAttribute.CURRENT_DATE.getFQN(),
Bags.emptyAttributeBag(StandardDatatypes.DATE, newReqMissingStdEnvAttrException(StandardEnvironmentAttribute.CURRENT_DATE.getFQN())), Bags.emptyAttributeBag(StandardDatatypes.DATE, newReqMissingStdEnvAttrException(StandardEnvironmentAttribute.CURRENT_DATE.getFQN())),
StandardEnvironmentAttribute.CURRENT_TIME.getFQN(), StandardEnvironmentAttribute.CURRENT_TIME.getFQN(),
Bags.emptyAttributeBag(StandardDatatypes.TIME, newReqMissingStdEnvAttrException(StandardEnvironmentAttribute.CURRENT_TIME.getFQN()))); Bags.emptyAttributeBag(StandardDatatypes.TIME, newReqMissingStdEnvAttrException(StandardEnvironmentAttribute.CURRENT_TIME.getFQN())));
private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_OVERRIDES_ATTRIBUTES_MERGER = new RequestAndPdpIssuedNamedAttributesMerger() private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_OVERRIDES_ATTRIBUTES_MERGER = (pdpIssuedAttributes, requestAttributes) -> {
{ /*
* Request attribute values override PDP issued ones. Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must not
* modify it but clone it before individual decision request processing.
*/
if (pdpIssuedAttributes == null)
{
return requestAttributes == null ? null : HashCollections.newUpdatableMap(requestAttributes);
}
@Override // pdpIssuedAttributes != null
public Map<AttributeFqn, AttributeBag<?>> merge(final Map<AttributeFqn, AttributeBag<?>> pdpIssuedAttributes, final Map<AttributeFqn, AttributeBag<?>> requestAttributes) if (requestAttributes == null)
{
return HashCollections.newUpdatableMap(pdpIssuedAttributes);
}
// requestAttributes != null
/**
*
* XACML standard (§10.2.5) says: "If values for these [the standard environment attributes, i.e. current-time, current-date, current-dateTime] attributes are not present in the decision
* request, then their values MUST be supplied by the context handler ". In our case, "context handler" means the PDP. In other words, the attribute values come from request by default, or
* from the PDP if (and *only if* in this case) they are not set in the request. More precisely, if any of these standard environment attributes is provided in the request, none of the PDP
* values is used, even if some policy requires one that is missing from the request. Indeed, this is to avoid such case when the decision request specifies at least one date/time
* attribute, e.g. current-time, but not all of them, e.g. not current-dateTime, and the policy requires both the one(s) provided and the one(s) not provided. In this case, if the PDP
* provides its own value(s) for the missing attributes (e.g. current-dateTime), this may cause some inconsistencies since we end up having date/time attributes coming from two different
* sources/environments (current-time and current-dateTime for instance).
*/
if (requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_DATETIME.getFQN()) || requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_DATE.getFQN())
|| requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_TIME.getFQN()))
{ {
/* /*
* Request attribute values override PDP issued ones. Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must * Request has at least one standard env attribute -> make sure all PDP values are ignored (overridden by STD_ENV_RESET_MAP no matter whether requestAttributes contains all of them or
* not modify it but clone it before individual decision request processing. * not)
*/
if (pdpIssuedAttributes == null)
{
return requestAttributes == null ? null : HashCollections.newUpdatableMap(requestAttributes);
}
// pdpIssuedAttributes != null
if (requestAttributes == null)
{
return HashCollections.newUpdatableMap(pdpIssuedAttributes);
}
// requestAttributes != null
/**
*
* XACML standard (§10.2.5) says: "If values for these [the standard environment attributes, i.e. current-time, current-date, current-dateTime] attributes are not present in the
* decision request, then their values MUST be supplied by the context handler ". In our case, "context handler" means the PDP. In other words, the attribute values come from request
* by default, or from the PDP if (and *only if* in this case) they are not set in the request. More precisely, if any of these standard environment attributes is provided in the
* request, none of the PDP values is used, even if some policy requires one that is missing from the request. Indeed, this is to avoid such case when the decision request specifies at
* least one date/time attribute, e.g. current-time, but not all of them, e.g. not current-dateTime, and the policy requires both the one(s) provided and the one(s) not provided. In
* this case, if the PDP provides its own value(s) for the missing attributes (e.g. current-dateTime), this may cause some inconsistencies since we end up having date/time attributes
* coming from two different sources/environments (current-time and current-dateTime for instance).
*/ */
if (requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_DATETIME.getFQN()) || requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_DATE.getFQN())
|| requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_TIME.getFQN()))
{
/*
* Request has at least one standard env attribute -> make sure all PDP values are ignored (overridden by STD_ENV_RESET_MAP no matter whether requestAttributes contains all of them
* or not)
*/
// mappings in order of increasing priority
return HashCollections.newUpdatableMap(pdpIssuedAttributes, STD_ENV_RESET_MAP, requestAttributes);
}
// mappings in order of increasing priority // mappings in order of increasing priority
return HashCollections.newUpdatableMap(pdpIssuedAttributes, requestAttributes); return HashCollections.newUpdatableMap(pdpIssuedAttributes, STD_ENV_RESET_MAP, requestAttributes);
} }
// mappings in order of increasing priority
return HashCollections.newUpdatableMap(pdpIssuedAttributes, requestAttributes);
}; };
private static final RequestAndPdpIssuedNamedAttributesMerger PDP_OVERRIDES_ATTRIBUTES_MERGER = new RequestAndPdpIssuedNamedAttributesMerger() private static final RequestAndPdpIssuedNamedAttributesMerger PDP_OVERRIDES_ATTRIBUTES_MERGER = (pdpIssuedAttributes, requestAttributes) -> {
{
@Override // PDP issued attribute values override request attribute values
public Map<AttributeFqn, AttributeBag<?>> merge(final Map<AttributeFqn, AttributeBag<?>> pdpIssuedAttributes, final Map<AttributeFqn, AttributeBag<?>> requestAttributes) /*
* Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must not modify it but clone it before individual decision
* request processing.
*/
if (pdpIssuedAttributes == null)
{ {
return requestAttributes == null ? null : HashCollections.newUpdatableMap(requestAttributes);
// PDP issued attribute values override request attribute values
/*
* Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must not modify it but clone it before individual
* decision request processing.
*/
if (pdpIssuedAttributes == null)
{
return requestAttributes == null ? null : HashCollections.newUpdatableMap(requestAttributes);
}
// pdpIssuedAttributes != null
if (requestAttributes == null)
{
return HashCollections.newUpdatableMap(pdpIssuedAttributes);
}
// requestAttributes != null
// mappings of pdpIssuedAttributes have priority
return HashCollections.newUpdatableMap(requestAttributes, pdpIssuedAttributes);
} }
}; // pdpIssuedAttributes != null
if (requestAttributes == null)
private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_ONLY_ATTRIBUTES_MERGER = new RequestAndPdpIssuedNamedAttributesMerger()
{
@Override
public Map<AttributeFqn, AttributeBag<?>> merge(final Map<AttributeFqn, AttributeBag<?>> pdpIssuedAttributes, final Map<AttributeFqn, AttributeBag<?>> requestAttributes)
{ {
// PDP values completely ignored return HashCollections.newUpdatableMap(pdpIssuedAttributes);
return requestAttributes == null ? null : HashCollections.newUpdatableMap(requestAttributes);
} }
// requestAttributes != null
// mappings of pdpIssuedAttributes have priority
return HashCollections.newUpdatableMap(requestAttributes, pdpIssuedAttributes);
}; };
private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_ONLY_ATTRIBUTES_MERGER = (pdpIssuedAttributes, requestAttributes) -> requestAttributes == null ? null
: HashCollections.newUpdatableMap(requestAttributes);
private final RootPolicyEvaluator rootPolicyEvaluator; private final RootPolicyEvaluator rootPolicyEvaluator;
private final RequestAndPdpIssuedNamedAttributesMerger reqAndPdpIssuedAttributesMerger; private final RequestAndPdpIssuedNamedAttributesMerger reqAndPdpIssuedAttributesMerger;
...@@ -351,7 +316,7 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -351,7 +316,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
break; break;
default: default:
throw new IllegalArgumentException( throw new IllegalArgumentException(
"Unsupported standardEnvAttributeSource: " + stdEnvAttributeSource + ". Expected: " + Arrays.toString(StandardEnvironmentAttributeSource.values())); "Unsupported standardEnvAttributeSource: " + stdEnvAttributeSource + ". Expected: " + Arrays.toString(StandardEnvironmentAttributeSource.values()));
} }
} }
...@@ -410,7 +375,7 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -410,7 +375,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
* if an error occurred preventing any request evaluation * if an error occurred preventing any request evaluation
*/ */
protected abstract <INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> Collection<Entry<INDIVIDUAL_DECISION_REQ_T, ? extends DecisionResult>> evaluate( protected abstract <INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> Collection<Entry<INDIVIDUAL_DECISION_REQ_T, ? extends DecisionResult>> evaluate(
List<INDIVIDUAL_DECISION_REQ_T> individualDecisionRequests, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer) throws IndeterminateEvaluationException; List<INDIVIDUAL_DECISION_REQ_T> individualDecisionRequests, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer) throws IndeterminateEvaluationException;
} }
...@@ -419,7 +384,7 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -419,7 +384,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
private static final Logger LOGGER = LoggerFactory.getLogger(NonCachingIndividualDecisionRequestEvaluator.class); private static final Logger LOGGER = LoggerFactory.getLogger(NonCachingIndividualDecisionRequestEvaluator.class);
private static final RuntimeException NULL_INDIVIDUAL_DECISION_REQUEST_EXCEPTION = new RuntimeException( private static final RuntimeException NULL_INDIVIDUAL_DECISION_REQUEST_EXCEPTION = new RuntimeException(
"One of the individual decision requests returned by the request filter is invalid (null)."); "One of the individual decision requests returned by the request filter is invalid (null).");
private NonCachingIndividualDecisionRequestEvaluator(final RootPolicyEvaluator rootPolicyEvaluator, final StandardEnvironmentAttributeSource stdEnvAttributeSource) private NonCachingIndividualDecisionRequestEvaluator(final RootPolicyEvaluator rootPolicyEvaluator, final StandardEnvironmentAttributeSource stdEnvAttributeSource)
{ {
...@@ -427,7 +392,7 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -427,7 +392,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
} }
@Override @Override
protected DecisionResult evaluate(DecisionRequest request, StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer) protected DecisionResult evaluate(final DecisionRequest request, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
{ {
assert request != null; assert request != null;
LOGGER.debug("Evaluating Individual Decision Request: {}", request); LOGGER.debug("Evaluating Individual Decision Request: {}", request);
...@@ -436,7 +401,7 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -436,7 +401,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
@Override @Override
protected <INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> Collection<Entry<INDIVIDUAL_DECISION_REQ_T, ? extends DecisionResult>> evaluate( protected <INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> Collection<Entry<INDIVIDUAL_DECISION_REQ_T, ? extends DecisionResult>> evaluate(
final List<INDIVIDUAL_DECISION_REQ_T> individualDecisionRequests, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer) throws IndeterminateEvaluationException final List<INDIVIDUAL_DECISION_REQ_T> individualDecisionRequests, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer) throws IndeterminateEvaluationException
{ {
assert individualDecisionRequests != null && pdpStdEnvAttributeIssuer != null; assert individualDecisionRequests != null && pdpStdEnvAttributeIssuer != null;
...@@ -463,12 +428,12 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -463,12 +428,12 @@ public final class BasePdpEngine implements CloseablePdpEngine
private static final Logger LOGGER = LoggerFactory.getLogger(IndividualRequestEvaluatorWithCacheIgnoringEvaluationContext.class); private static final Logger LOGGER = LoggerFactory.getLogger(IndividualRequestEvaluatorWithCacheIgnoringEvaluationContext.class);
private static final IndeterminateEvaluationException INDETERMINATE_EVALUATION_EXCEPTION = new IndeterminateEvaluationException("Internal error in decision cache: null result", private static final IndeterminateEvaluationException INDETERMINATE_EVALUATION_EXCEPTION = new IndeterminateEvaluationException("Internal error in decision cache: null result",
XacmlStatusCode.PROCESSING_ERROR.value()); XacmlStatusCode.PROCESSING_ERROR.value());
private final DecisionCache decisionCache; private final DecisionCache decisionCache;
private IndividualRequestEvaluatorWithCacheIgnoringEvaluationContext(final RootPolicyEvaluator rootPolicyEvaluator, final StandardEnvironmentAttributeSource stdEnvAttributeSource, private IndividualRequestEvaluatorWithCacheIgnoringEvaluationContext(final RootPolicyEvaluator rootPolicyEvaluator, final StandardEnvironmentAttributeSource stdEnvAttributeSource,
final DecisionCache decisionCache) final DecisionCache decisionCache)
{ {
super(rootPolicyEvaluator, stdEnvAttributeSource); super(rootPolicyEvaluator, stdEnvAttributeSource);
assert decisionCache != null; assert decisionCache != null;
...@@ -476,7 +441,7 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -476,7 +441,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
} }
@Override @Override
protected DecisionResult evaluate(DecisionRequest individualDecisionRequest, StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer) protected DecisionResult evaluate(final DecisionRequest individualDecisionRequest, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
{ {
assert individualDecisionRequest != null; assert individualDecisionRequest != null;
LOGGER.debug("Evaluating Individual Decision Request: {}", individualDecisionRequest); LOGGER.debug("Evaluating Individual Decision Request: {}", individualDecisionRequest);
...@@ -496,7 +461,7 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -496,7 +461,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
@Override @Override
protected <INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> Collection<Entry<INDIVIDUAL_DECISION_REQ_T, ? extends DecisionResult>> evaluate( protected <INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> Collection<Entry<INDIVIDUAL_DECISION_REQ_T, ? extends DecisionResult>> evaluate(
final List<INDIVIDUAL_DECISION_REQ_T> individualDecisionRequests, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer) throws IndeterminateEvaluationException final List<INDIVIDUAL_DECISION_REQ_T> individualDecisionRequests, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer) throws IndeterminateEvaluationException
{ {
assert individualDecisionRequests != null && pdpStdEnvAttributeIssuer != null; assert individualDecisionRequests != null && pdpStdEnvAttributeIssuer != null;
...@@ -556,7 +521,7 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -556,7 +521,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
private final DecisionCache decisionCache; private final DecisionCache decisionCache;
private IndividualRequestEvaluatorWithCacheUsingEvaluationContext(final RootPolicyEvaluator rootPolicyEvaluator, final StandardEnvironmentAttributeSource validStdEnvAttrSrc, private IndividualRequestEvaluatorWithCacheUsingEvaluationContext(final RootPolicyEvaluator rootPolicyEvaluator, final StandardEnvironmentAttributeSource validStdEnvAttrSrc,
final DecisionCache decisionCache) final DecisionCache decisionCache)
{ {
super(rootPolicyEvaluator, validStdEnvAttrSrc); super(rootPolicyEvaluator, validStdEnvAttrSrc);
assert decisionCache != null; assert decisionCache != null;
...@@ -564,7 +529,7 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -564,7 +529,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
} }
private <INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> DecisionResult evaluate(final INDIVIDUAL_DECISION_REQ_T individualDecisionRequest, private <INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> DecisionResult evaluate(final INDIVIDUAL_DECISION_REQ_T individualDecisionRequest,
final Map<AttributeFqn, AttributeBag<?>> pdpIssuedAttributes) final Map<AttributeFqn, AttributeBag<?>> pdpIssuedAttributes)
{ {
assert individualDecisionRequest != null; assert individualDecisionRequest != null;
LOGGER.debug("Evaluating Individual Decision Request: {}", individualDecisionRequest); LOGGER.debug("Evaluating Individual Decision Request: {}", individualDecisionRequest);
...@@ -587,7 +552,7 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -587,7 +552,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
} }
@Override @Override
protected DecisionResult evaluate(DecisionRequest individualDecisionRequest, StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer) protected DecisionResult evaluate(final DecisionRequest individualDecisionRequest, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
{ {
assert individualDecisionRequest != null && pdpStdEnvAttributeIssuer != null; assert individualDecisionRequest != null && pdpStdEnvAttributeIssuer != null;
return evaluate(individualDecisionRequest, pdpStdEnvAttributeIssuer.get()); return evaluate(individualDecisionRequest, pdpStdEnvAttributeIssuer.get());
...@@ -595,7 +560,7 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -595,7 +560,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
@Override @Override
protected <INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> Collection<Entry<INDIVIDUAL_DECISION_REQ_T, ? extends DecisionResult>> evaluate( protected <INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> Collection<Entry<INDIVIDUAL_DECISION_REQ_T, ? extends DecisionResult>> evaluate(
final List<INDIVIDUAL_DECISION_REQ_T> individualDecisionRequests, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer) throws IndeterminateEvaluationException final List<INDIVIDUAL_DECISION_REQ_T> individualDecisionRequests, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer) throws IndeterminateEvaluationException
{ {
assert individualDecisionRequests != null && pdpStdEnvAttributeIssuer != null; assert individualDecisionRequests != null && pdpStdEnvAttributeIssuer != null;
...@@ -626,8 +591,14 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -626,8 +591,14 @@ public final class BasePdpEngine implements CloseablePdpEngine
* *
* @param xacmlExpressionFactory * @param xacmlExpressionFactory
* XACML Expression parser/factory - mandatory * XACML Expression parser/factory - mandatory
* @param rootPolicyProvider * @param policyProvider
* Root Policy Provider - mandatory * Policy Provider - mandatory
* @param rootPolicyId
* root Policy(Set) ID
* @param rootPolicyElementType
* type of root policy element (XACML Policy or XACML PolicySet)
* @param rootPolicyVersionPatterns
* version pattern to be matched by root policy version
* @param decisionCache * @param decisionCache
* (optional) decision response cache * (optional) decision response cache
* @param strictAttributeIssuerMatch * @param strictAttributeIssuerMatch
...@@ -642,12 +613,23 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -642,12 +613,23 @@ public final class BasePdpEngine implements CloseablePdpEngine
* @throws java.io.IOException * @throws java.io.IOException
* error closing the root policy Provider when static resolution is to be used * error closing the root policy Provider when static resolution is to be used
*/ */
public BasePdpEngine(final ExpressionFactory xacmlExpressionFactory, final RootPolicyProvider rootPolicyProvider, final boolean strictAttributeIssuerMatch, public BasePdpEngine(final ExpressionFactory xacmlExpressionFactory, final CloseablePolicyProvider<?> policyProvider, final Optional<TopLevelPolicyElementType> rootPolicyElementType,
final StandardEnvironmentAttributeSource stdEnvAttributeSource, final Optional<DecisionCache> decisionCache) throws IllegalArgumentException, IOException final String rootPolicyId, final Optional<PolicyVersionPatterns> rootPolicyVersionPatterns, final boolean strictAttributeIssuerMatch,
final StandardEnvironmentAttributeSource stdEnvAttributeSource, final Optional<DecisionCache> decisionCache) throws IllegalArgumentException, IOException
{ {
final RootPolicyEvaluators.Base candidateRootPolicyEvaluator = new RootPolicyEvaluators.Base(xacmlExpressionFactory, rootPolicyProvider); final RootPolicyEvaluators.Base candidateRootPolicyEvaluator = new RootPolicyEvaluators.Base(policyProvider, rootPolicyElementType, rootPolicyId, rootPolicyVersionPatterns,
xacmlExpressionFactory);
// Use static resolution if possible // Use static resolution if possible
final RootPolicyEvaluator staticRootPolicyEvaluator = candidateRootPolicyEvaluator.toStatic(); final RootPolicyEvaluator staticRootPolicyEvaluator;
try
{
staticRootPolicyEvaluator = candidateRootPolicyEvaluator.toStatic();
}
catch (final IndeterminateEvaluationException e)
{
throw new IllegalArgumentException(
rootPolicyElementType + " '" + rootPolicyId + "' matching version (pattern): " + (rootPolicyVersionPatterns.isPresent() ? rootPolicyVersionPatterns.get() : "latest"), e);
}
if (staticRootPolicyEvaluator == null) if (staticRootPolicyEvaluator == null)
{ {
this.rootPolicyEvaluator = candidateRootPolicyEvaluator; this.rootPolicyEvaluator = candidateRootPolicyEvaluator;
...@@ -670,8 +652,8 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -670,8 +652,8 @@ public final class BasePdpEngine implements CloseablePdpEngine
else else
{ {
this.individualReqEvaluator = this.decisionCache.isEvaluationContextRequired() this.individualReqEvaluator = this.decisionCache.isEvaluationContextRequired()
? new IndividualRequestEvaluatorWithCacheUsingEvaluationContext(rootPolicyEvaluator, stdEnvAttributeSource, this.decisionCache) ? new IndividualRequestEvaluatorWithCacheUsingEvaluationContext(rootPolicyEvaluator, stdEnvAttributeSource, this.decisionCache)
: new IndividualRequestEvaluatorWithCacheIgnoringEvaluationContext(rootPolicyEvaluator, stdEnvAttributeSource, this.decisionCache); : new IndividualRequestEvaluatorWithCacheIgnoringEvaluationContext(rootPolicyEvaluator, stdEnvAttributeSource, this.decisionCache);
} }
} }
...@@ -688,8 +670,8 @@ public final class BasePdpEngine implements CloseablePdpEngine ...@@ -688,8 +670,8 @@ public final class BasePdpEngine implements CloseablePdpEngine
*/ */
public BasePdpEngine(final PdpEngineConfiguration configuration) throws IllegalArgumentException, IOException public BasePdpEngine(final PdpEngineConfiguration configuration) throws IllegalArgumentException, IOException
{ {
this(configuration.getXacmlExpressionFactory(), configuration.getRootPolicyProvider(), configuration.isStrictAttributeIssuerMatchEnabled(), configuration.getStdEnvAttributeSource(), this(configuration.getXacmlExpressionFactory(), configuration.getPolicyProvider(), configuration.getRootPolicyElementType(), configuration.getRootPolicyId(),
configuration.getDecisionCache()); configuration.getRootPolicyVersionPatterns(), configuration.isStrictAttributeIssuerMatchEnabled(), configuration.getStdEnvAttributeSource(), configuration.getDecisionCache());
} }