Commit c837d1d7 authored by cdanger's avatar cdanger
Browse files

Merge branch 'GH-38' into develop

Conflicts:
	pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/policy/CoreRefPolicyProvider.java
	pdp-io-xacml-json/src/test/java/org/ow2/authzforce/core/pdp/io/xacml/json/test/JsonProfileConformanceV3Test.java
	pom.xml
parents 802b390e aa856904
......@@ -131,7 +131,7 @@ Then instantiate a PDP engine configuration with method [PdpEngineConfiguration#
```xml
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/policy.xml" />
</pdp>
```
......
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/IIA001/Policy.xml" />
<pdp
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0"
version="7.0.0">
<policyProvider
id="rootPolicyProvider"
xsi:type="StaticPolicyProvider">
<policyLocation>${PARENT_DIR}/IIA001/Policy.xml</policyLocation>
</policyProvider>
<rootPolicyRef>urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy</rootPolicyRef>
<ioProcChain>
<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-json:default-lax</requestPreproc>
<resultPostproc>urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</resultPostproc>
......
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<project
xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.ow2.authzforce</groupId>
......
......@@ -43,8 +43,10 @@ import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.ImmutableDecisionRequest;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.policy.CloseablePolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPatterns;
import org.ow2.authzforce.core.pdp.api.policy.PrimaryPolicyMetadata;
import org.ow2.authzforce.core.pdp.api.policy.RootPolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.Bag;
import org.ow2.authzforce.core.pdp.api.value.Bags;
......@@ -79,26 +81,13 @@ public final class BasePdpEngine implements CloseablePdpEngine
Map<AttributeFqn, AttributeBag<?>> get();
}
private static final StandardEnvironmentAttributeIssuer NULL_STD_ENV_ATTRIBUTE_ISSUER = new StandardEnvironmentAttributeIssuer()
{
private static final StandardEnvironmentAttributeIssuer NULL_STD_ENV_ATTRIBUTE_ISSUER = () -> null;
@Override
public Map<AttributeFqn, AttributeBag<?>> get()
{
return null;
}
};
private static final StandardEnvironmentAttributeIssuer DEFAULT_TZ_BASED_STD_ENV_ATTRIBUTE_ISSUER = new StandardEnvironmentAttributeIssuer()
{
@Override
public Map<AttributeFqn, AttributeBag<?>> get()
{
private static final StandardEnvironmentAttributeIssuer DEFAULT_TZ_BASED_STD_ENV_ATTRIBUTE_ISSUER = () -> {
/*
* Set the standard current date/time attribute according to XACML core spec:
* "This identifier indicates the current time at the context handler. In practice it is the time at which the request context was created." (§B.7). XACML standard (§10.2.5) says: "If
* values for these attributes are not present in the decision request, then their values MUST be supplied by the context handler".
* "This identifier indicates the current time at the context handler. In practice it is the time at which the request context was created." (§B.7). XACML standard (§10.2.5) says: "If values
* for these attributes are not present in the decision request, then their values MUST be supplied by the context handler".
*/
// current datetime in default timezone
final DateTimeValue currentDateTimeValue = new DateTimeValue(new GregorianCalendar());
......@@ -111,7 +100,6 @@ public final class BasePdpEngine implements CloseablePdpEngine
// current time
StandardEnvironmentAttribute.CURRENT_TIME.getFQN(),
Bags.singletonAttributeBag(StandardDatatypes.TIME, TimeValue.getInstance((XMLGregorianCalendar) currentDateTimeValue.getUnderlyingValue().clone()), AttributeSources.PDP));
}
};
private static class NonIssuedLikeIssuedAttributeHandlingRequestBuilder implements DecisionRequestBuilder<ImmutableDecisionRequest>
......@@ -211,15 +199,10 @@ public final class BasePdpEngine implements CloseablePdpEngine
StandardEnvironmentAttribute.CURRENT_TIME.getFQN(),
Bags.emptyAttributeBag(StandardDatatypes.TIME, newReqMissingStdEnvAttrException(StandardEnvironmentAttribute.CURRENT_TIME.getFQN())));
private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_OVERRIDES_ATTRIBUTES_MERGER = new RequestAndPdpIssuedNamedAttributesMerger()
{
@Override
public Map<AttributeFqn, AttributeBag<?>> merge(final Map<AttributeFqn, AttributeBag<?>> pdpIssuedAttributes, final Map<AttributeFqn, AttributeBag<?>> requestAttributes)
{
private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_OVERRIDES_ATTRIBUTES_MERGER = (pdpIssuedAttributes, requestAttributes) -> {
/*
* Request attribute values override PDP issued ones. Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must
* not modify it but clone it before individual decision request processing.
* Request attribute values override PDP issued ones. Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must not
* modify it but clone it before individual decision request processing.
*/
if (pdpIssuedAttributes == null)
{
......@@ -235,20 +218,20 @@ public final class BasePdpEngine implements CloseablePdpEngine
/**
*
* XACML standard (§10.2.5) says: "If values for these [the standard environment attributes, i.e. current-time, current-date, current-dateTime] attributes are not present in the
* decision request, then their values MUST be supplied by the context handler ". In our case, "context handler" means the PDP. In other words, the attribute values come from request
* by default, or from the PDP if (and *only if* in this case) they are not set in the request. More precisely, if any of these standard environment attributes is provided in the
* request, none of the PDP values is used, even if some policy requires one that is missing from the request. Indeed, this is to avoid such case when the decision request specifies at
* least one date/time attribute, e.g. current-time, but not all of them, e.g. not current-dateTime, and the policy requires both the one(s) provided and the one(s) not provided. In
* this case, if the PDP provides its own value(s) for the missing attributes (e.g. current-dateTime), this may cause some inconsistencies since we end up having date/time attributes
* coming from two different sources/environments (current-time and current-dateTime for instance).
* XACML standard (§10.2.5) says: "If values for these [the standard environment attributes, i.e. current-time, current-date, current-dateTime] attributes are not present in the decision
* request, then their values MUST be supplied by the context handler ". In our case, "context handler" means the PDP. In other words, the attribute values come from request by default, or
* from the PDP if (and *only if* in this case) they are not set in the request. More precisely, if any of these standard environment attributes is provided in the request, none of the PDP
* values is used, even if some policy requires one that is missing from the request. Indeed, this is to avoid such case when the decision request specifies at least one date/time
* attribute, e.g. current-time, but not all of them, e.g. not current-dateTime, and the policy requires both the one(s) provided and the one(s) not provided. In this case, if the PDP
* provides its own value(s) for the missing attributes (e.g. current-dateTime), this may cause some inconsistencies since we end up having date/time attributes coming from two different
* sources/environments (current-time and current-dateTime for instance).
*/
if (requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_DATETIME.getFQN()) || requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_DATE.getFQN())
|| requestAttributes.containsKey(StandardEnvironmentAttribute.CURRENT_TIME.getFQN()))
{
/*
* Request has at least one standard env attribute -> make sure all PDP values are ignored (overridden by STD_ENV_RESET_MAP no matter whether requestAttributes contains all of them
* or not)
* Request has at least one standard env attribute -> make sure all PDP values are ignored (overridden by STD_ENV_RESET_MAP no matter whether requestAttributes contains all of them or
* not)
*/
// mappings in order of increasing priority
return HashCollections.newUpdatableMap(pdpIssuedAttributes, STD_ENV_RESET_MAP, requestAttributes);
......@@ -256,21 +239,14 @@ public final class BasePdpEngine implements CloseablePdpEngine
// mappings in order of increasing priority
return HashCollections.newUpdatableMap(pdpIssuedAttributes, requestAttributes);
}
};
private static final RequestAndPdpIssuedNamedAttributesMerger PDP_OVERRIDES_ATTRIBUTES_MERGER = new RequestAndPdpIssuedNamedAttributesMerger()
{
@Override
public Map<AttributeFqn, AttributeBag<?>> merge(final Map<AttributeFqn, AttributeBag<?>> pdpIssuedAttributes, final Map<AttributeFqn, AttributeBag<?>> requestAttributes)
{
private static final RequestAndPdpIssuedNamedAttributesMerger PDP_OVERRIDES_ATTRIBUTES_MERGER = (pdpIssuedAttributes, requestAttributes) -> {
// PDP issued attribute values override request attribute values
/*
* Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must not modify it but clone it before individual
* decision request processing.
* Do not modify pdpIssuedAttributes directly as this may be used for other requests (Multiple Decision Profile) as well. so we must not modify it but clone it before individual decision
* request processing.
*/
if (pdpIssuedAttributes == null)
{
......@@ -287,21 +263,10 @@ public final class BasePdpEngine implements CloseablePdpEngine
// mappings of pdpIssuedAttributes have priority
return HashCollections.newUpdatableMap(requestAttributes, pdpIssuedAttributes);
}
};
private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_ONLY_ATTRIBUTES_MERGER = new RequestAndPdpIssuedNamedAttributesMerger()
{
@Override
public Map<AttributeFqn, AttributeBag<?>> merge(final Map<AttributeFqn, AttributeBag<?>> pdpIssuedAttributes, final Map<AttributeFqn, AttributeBag<?>> requestAttributes)
{
// PDP values completely ignored
return requestAttributes == null ? null : HashCollections.newUpdatableMap(requestAttributes);
}
};
private static final RequestAndPdpIssuedNamedAttributesMerger REQUEST_ONLY_ATTRIBUTES_MERGER = (pdpIssuedAttributes, requestAttributes) -> requestAttributes == null ? null
: HashCollections.newUpdatableMap(requestAttributes);
private final RootPolicyEvaluator rootPolicyEvaluator;
private final RequestAndPdpIssuedNamedAttributesMerger reqAndPdpIssuedAttributesMerger;
......@@ -427,7 +392,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
}
@Override
protected DecisionResult evaluate(DecisionRequest request, StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
protected DecisionResult evaluate(final DecisionRequest request, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
{
assert request != null;
LOGGER.debug("Evaluating Individual Decision Request: {}", request);
......@@ -476,7 +441,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
}
@Override
protected DecisionResult evaluate(DecisionRequest individualDecisionRequest, StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
protected DecisionResult evaluate(final DecisionRequest individualDecisionRequest, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
{
assert individualDecisionRequest != null;
LOGGER.debug("Evaluating Individual Decision Request: {}", individualDecisionRequest);
......@@ -587,7 +552,7 @@ public final class BasePdpEngine implements CloseablePdpEngine
}
@Override
protected DecisionResult evaluate(DecisionRequest individualDecisionRequest, StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
protected DecisionResult evaluate(final DecisionRequest individualDecisionRequest, final StandardEnvironmentAttributeIssuer pdpStdEnvAttributeIssuer)
{
assert individualDecisionRequest != null && pdpStdEnvAttributeIssuer != null;
return evaluate(individualDecisionRequest, pdpStdEnvAttributeIssuer.get());
......@@ -626,8 +591,14 @@ public final class BasePdpEngine implements CloseablePdpEngine
*
* @param xacmlExpressionFactory
* XACML Expression parser/factory - mandatory
* @param rootPolicyProvider
* Root Policy Provider - mandatory
* @param policyProvider
* Policy Provider - mandatory
* @param rootPolicyId
* root Policy(Set) ID
* @param rootPolicyElementType
* type of root policy element (XACML Policy or XACML PolicySet)
* @param rootPolicyVersionPatterns
* version pattern to be matched by root policy version
* @param decisionCache
* (optional) decision response cache
* @param strictAttributeIssuerMatch
......@@ -642,12 +613,23 @@ public final class BasePdpEngine implements CloseablePdpEngine
* @throws java.io.IOException
* error closing the root policy Provider when static resolution is to be used
*/
public BasePdpEngine(final ExpressionFactory xacmlExpressionFactory, final RootPolicyProvider rootPolicyProvider, final boolean strictAttributeIssuerMatch,
public BasePdpEngine(final ExpressionFactory xacmlExpressionFactory, final CloseablePolicyProvider<?> policyProvider, final Optional<TopLevelPolicyElementType> rootPolicyElementType,
final String rootPolicyId, final Optional<PolicyVersionPatterns> rootPolicyVersionPatterns, final boolean strictAttributeIssuerMatch,
final StandardEnvironmentAttributeSource stdEnvAttributeSource, final Optional<DecisionCache> decisionCache) throws IllegalArgumentException, IOException
{
final RootPolicyEvaluators.Base candidateRootPolicyEvaluator = new RootPolicyEvaluators.Base(xacmlExpressionFactory, rootPolicyProvider);
final RootPolicyEvaluators.Base candidateRootPolicyEvaluator = new RootPolicyEvaluators.Base(policyProvider, rootPolicyElementType, rootPolicyId, rootPolicyVersionPatterns,
xacmlExpressionFactory);
// Use static resolution if possible
final RootPolicyEvaluator staticRootPolicyEvaluator = candidateRootPolicyEvaluator.toStatic();
final RootPolicyEvaluator staticRootPolicyEvaluator;
try
{
staticRootPolicyEvaluator = candidateRootPolicyEvaluator.toStatic();
}
catch (final IndeterminateEvaluationException e)
{
throw new IllegalArgumentException(
rootPolicyElementType + " '" + rootPolicyId + "' matching version (pattern): " + (rootPolicyVersionPatterns.isPresent() ? rootPolicyVersionPatterns.get() : "latest"), e);
}
if (staticRootPolicyEvaluator == null)
{
this.rootPolicyEvaluator = candidateRootPolicyEvaluator;
......@@ -688,8 +670,8 @@ public final class BasePdpEngine implements CloseablePdpEngine
*/
public BasePdpEngine(final PdpEngineConfiguration configuration) throws IllegalArgumentException, IOException
{
this(configuration.getXacmlExpressionFactory(), configuration.getRootPolicyProvider(), configuration.isStrictAttributeIssuerMatchEnabled(), configuration.getStdEnvAttributeSource(),
configuration.getDecisionCache());
this(configuration.getXacmlExpressionFactory(), configuration.getPolicyProvider(), configuration.getRootPolicyElementType(), configuration.getRootPolicyId(),
configuration.getRootPolicyVersionPatterns(), configuration.isStrictAttributeIssuerMatchEnabled(), configuration.getStdEnvAttributeSource(), configuration.getDecisionCache());
}
@Override
......
......@@ -42,7 +42,7 @@ import com.google.common.collect.ListMultimap;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeDesignatorType;
/**
* AttributeProvider that tries to resolve attributes in current request context first, else delegates to {@link DesignatedAttributeProvider}s.
* AttributeProvider that tries to resolve attributes in current request context first, else delegates to {@link NamedAttributeProvider}s.
*
* @version $Id: $
*/
......@@ -97,7 +97,8 @@ public class ModularAttributeProvider implements AttributeProvider
if (selectedAttributeSupport == null)
{
designatorModsByAttrId = attributeProviderModulesByAttributeId;
} else
}
else
{
final ListMultimap<AttributeFqn, NamedAttributeProvider> mutableModsByAttrIdMap = ArrayListMultimap.create(selectedAttributeSupport.size(), 1);
for (final AttributeDesignatorType requiredAttr : selectedAttributeSupport)
......@@ -206,7 +207,8 @@ public class ModularAttributeProvider implements AttributeProvider
LOGGER.debug("Values of attribute {}, type={} returned by attribute Provider module #{} (cached in context): {}", attributeFqn, datatype, attrProviders, result);
issuedToNonIssuedAttributeCopyMode.process(attributeFqn, result, context);
return result;
} catch (final IndeterminateEvaluationException e)
}
catch (final IndeterminateEvaluationException e)
{
/*
* This error does not necessarily matter, it depends on whether the attribute is required, i.e. MustBePresent=true for AttributeDesignator/Selector So we let
......@@ -248,7 +250,8 @@ public class ModularAttributeProvider implements AttributeProvider
*/
context.putNamedAttributeValueIfAbsent(attributeFqn, result);
return result;
} catch (final UnsupportedOperationException e)
}
catch (final UnsupportedOperationException e)
{
/*
* Should not happen, this is highly unexpected and should be considered a fatal error (it means the AttributeProvider does not respect its contract)
......
......@@ -54,8 +54,9 @@ import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.func.FirstOrderFunction;
import org.ow2.authzforce.core.pdp.api.func.Function;
import org.ow2.authzforce.core.pdp.api.io.XacmlJaxbParsingUtils;
import org.ow2.authzforce.core.pdp.api.policy.CloseableRefPolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.RootPolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.CloseablePolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPatterns;
import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType;
import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory;
import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry;
import org.ow2.authzforce.core.pdp.api.value.Datatype;
......@@ -73,6 +74,7 @@ import org.ow2.authzforce.core.pdp.impl.func.StandardFunction;
import org.ow2.authzforce.core.xmlns.pdp.InOutProcChain;
import org.ow2.authzforce.core.xmlns.pdp.Pdp;
import org.ow2.authzforce.core.xmlns.pdp.StandardEnvironmentAttributeSource;
import org.ow2.authzforce.core.xmlns.pdp.TopLevelPolicyElementRef;
import org.ow2.authzforce.xacml.identifiers.XacmlDatatypeId;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeProvider;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractDecisionCache;
......@@ -95,7 +97,7 @@ public final class PdpEngineConfiguration
private static final IllegalArgumentException ILLEGAL_USE_STD_FUNCTIONS_ARGUMENT_EXCEPTION = new IllegalArgumentException(
"useStandardFunctions = true not allowed if useStandardDatatypes = false");
private static final IllegalArgumentException NULL_ROOTPOLICYPROVIDER_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined rootPolicyProvider");
private static final IllegalArgumentException NULL_POLICYPROVIDER_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined policyProvider");
// the logger we'll use for all messages
private static final Logger LOGGER = LoggerFactory.getLogger(BasePdpEngine.class);
......@@ -132,21 +134,13 @@ public final class PdpEngineConfiguration
return attrProviderModBuilder.getInstance(jaxbConf, envProps);
}
private static <JAXB_CONF extends AbstractPolicyProvider> CloseableRefPolicyProvider newRefPolicyProvider(final JAXB_CONF jaxbConf, final XmlnsFilteringParserFactory xacmlParserFactory,
private static <JAXB_CONF extends AbstractPolicyProvider> CloseablePolicyProvider<?> newPolicyProvider(final JAXB_CONF jaxbConf, final XmlnsFilteringParserFactory xacmlParserFactory,
final int maxPolicySetRefDepth, final ExpressionFactory xacmlExprFactory, final CombiningAlgRegistry combiningAlgRegistry, final EnvironmentProperties envProps)
{
final CloseableRefPolicyProvider.Factory<JAXB_CONF> refPolicyProviderModFactory = PdpExtensions.getRefPolicyProviderFactory((Class<JAXB_CONF>) jaxbConf.getClass());
final CloseablePolicyProvider.Factory<JAXB_CONF> refPolicyProviderModFactory = PdpExtensions.getRefPolicyProviderFactory((Class<JAXB_CONF>) jaxbConf.getClass());
return refPolicyProviderModFactory.getInstance(jaxbConf, xacmlParserFactory, maxPolicySetRefDepth, xacmlExprFactory, combiningAlgRegistry, envProps);
}
private static <JAXB_CONF extends AbstractPolicyProvider> RootPolicyProvider newRootPolicyProvider(final JAXB_CONF jaxbConf, final XmlnsFilteringParserFactory xacmlParserFactory,
final ExpressionFactory xacmlExprFactory, final CombiningAlgRegistry combiningAlgRegistry, final Optional<CloseableRefPolicyProvider> refPolicyProvider,
final EnvironmentProperties envProps)
{
final RootPolicyProvider.Factory<JAXB_CONF> rootPolicyProviderFactory = PdpExtensions.getRootPolicyProviderFactory((Class<JAXB_CONF>) jaxbConf.getClass());
return rootPolicyProviderFactory.getInstance(jaxbConf, xacmlParserFactory, xacmlExprFactory, combiningAlgRegistry, refPolicyProvider, envProps);
}
private static <JAXB_CONF extends AbstractDecisionCache> DecisionCache newDecisionCache(final JAXB_CONF jaxbConf, final AttributeValueFactoryRegistry attValFactories,
final EnvironmentProperties envProps)
{
......@@ -159,7 +153,13 @@ public final class PdpEngineConfiguration
private final ExpressionFactory xacmlExpressionFactory;
private final RootPolicyProvider rootPolicyProvider;
private final CloseablePolicyProvider<?> policyProvider;
private final String rootPolicyId;
private final Optional<TopLevelPolicyElementType> rootPolicyElementType;
private final Optional<PolicyVersionPatterns> rootPolicyVersionPatterns;
private final boolean strictAttributeIssuerMatch;
......@@ -189,12 +189,12 @@ public final class PdpEngineConfiguration
* Check required args
*/
/*
* Root policy provider
* Policy provider
*/
final AbstractPolicyProvider rootPolicyProviderJaxbConf = pdpJaxbConf.getRootPolicyProvider();
final AbstractPolicyProvider rootPolicyProviderJaxbConf = pdpJaxbConf.getPolicyProvider();
if (rootPolicyProviderJaxbConf == null)
{
throw NULL_ROOTPOLICYPROVIDER_ARGUMENT_EXCEPTION;
throw NULL_POLICYPROVIDER_ARGUMENT_EXCEPTION;
}
/*
......@@ -221,11 +221,13 @@ public final class PdpEngineConfiguration
if (datatypeExtensionIdentifiers.isEmpty())
{
attValFactoryRegistry = stdRegistry;
} else
}
else
{
attValFactoryRegistry = new ImmutableAttributeValueFactoryRegistry(HashCollections.newImmutableSet(stdRegistry.getExtensions(), datatypeExtensions));
}
} else
}
else
{
attValFactoryRegistry = new ImmutableAttributeValueFactoryRegistry(datatypeExtensions);
}
......@@ -255,7 +257,8 @@ public final class PdpEngineConfiguration
try
{
maxVarRefDepth = bigMaxVarRefDepth == null ? -1 : bigMaxVarRefDepth.intValueExact();
} catch (final ArithmeticException e)
}
catch (final ArithmeticException e)
{
throw new IllegalArgumentException("Invalid maxVariableRefDepth: " + bigMaxVarRefDepth, e);
}
......@@ -292,12 +295,14 @@ public final class PdpEngineConfiguration
if (nonGenericFunctionExtensionIdentifiers.isEmpty())
{
functionRegistry = stdRegistry;
} else
}
else
{
functionRegistry = new ImmutableFunctionRegistry(HashCollections.newImmutableSet(stdRegistry.getNonGenericFunctions(), nonGenericFunctionExtensions),
stdRegistry.getGenericFunctionFactories());
}
} else
}
else
{
functionRegistry = new ImmutableFunctionRegistry(nonGenericFunctionExtensions, null);
}
......@@ -331,11 +336,13 @@ public final class PdpEngineConfiguration
if (algExtensions.isEmpty())
{
combiningAlgRegistry = StandardCombiningAlgorithm.REGISTRY;
} else
}
else
{
combiningAlgRegistry = new ImmutableCombiningAlgRegistry(HashCollections.newImmutableSet(StandardCombiningAlgorithm.REGISTRY.getExtensions(), algExtensions));
}
} else
}
else
{
combiningAlgRegistry = new ImmutableCombiningAlgRegistry(algExtensions);
}
......@@ -348,7 +355,8 @@ public final class PdpEngineConfiguration
try
{
maxPolicySetRefDepth = bigMaxPolicyRefDepth == null ? -1 : bigMaxPolicyRefDepth.intValueExact();
} catch (final ArithmeticException e)
}
catch (final ArithmeticException e)
{
throw new IllegalArgumentException("Invalid maxPolicyRefDepth: " + bigMaxPolicyRefDepth, e);
}
......@@ -359,29 +367,29 @@ public final class PdpEngineConfiguration
xacmlExpressionFactory = new DepthLimitingExpressionFactory(attValFactoryRegistry, functionRegistry, attProviderFactories, maxVarRefDepth, enableXPath, strictAttributeIssuerMatch);
/*
* Policy Reference processing - Policy-by-reference Provider
* Policy Provider
*/
final AbstractPolicyProvider refPolicyProviderJaxbConf = pdpJaxbConf.getRefPolicyProvider();
final Optional<CloseableRefPolicyProvider> refPolicyProvider;
if (refPolicyProviderJaxbConf == null)
{
refPolicyProvider = Optional.empty();
} else
{
refPolicyProvider = Optional.of(newRefPolicyProvider(refPolicyProviderJaxbConf, xacmlParserFactory, maxPolicySetRefDepth, xacmlExpressionFactory, combiningAlgRegistry, envProps));
}
final AbstractPolicyProvider policyProviderJaxbConf = pdpJaxbConf.getPolicyProvider();
policyProvider = newPolicyProvider(policyProviderJaxbConf, xacmlParserFactory, maxPolicySetRefDepth, xacmlExpressionFactory, combiningAlgRegistry, envProps);
final TopLevelPolicyElementRef rootPolicyRef = pdpJaxbConf.getRootPolicyRef();
/*
* Root Policy Provider
* PDP XSD assumed to ensure rootPolicyRef is defined
*/
rootPolicyProvider = newRootPolicyProvider(rootPolicyProviderJaxbConf, xacmlParserFactory, xacmlExpressionFactory, combiningAlgRegistry, refPolicyProvider, envProps);
assert rootPolicyRef != null;
final Boolean mustBePolicySet = rootPolicyRef.isPolicySet();
this.rootPolicyElementType = mustBePolicySet == null ? Optional.empty()
: mustBePolicySet.booleanValue() ? Optional.of(TopLevelPolicyElementType.POLICY_SET) : Optional.of(TopLevelPolicyElementType.POLICY);
this.rootPolicyId = rootPolicyRef.getValue();
this.rootPolicyVersionPatterns = Optional.ofNullable(new PolicyVersionPatterns(rootPolicyRef.getVersion(), null, null));
// Decision cache
final AbstractDecisionCache decisionCacheJaxbConf = pdpJaxbConf.getDecisionCache();
if (decisionCacheJaxbConf == null)
{
decisionCache = Optional.empty();
} else
}
else
{
decisionCache = Optional.of(newDecisionCache(decisionCacheJaxbConf, attValFactoryRegistry, envProps));
}
......@@ -391,7 +399,8 @@ public final class PdpEngineConfiguration
try
{
this.clientReqErrVerbosityLevel = clientReqErrVerbosityBigInt == null ? 0 : clientReqErrVerbosityBigInt.intValueExact();
} catch (final ArithmeticException e)
}
catch (final ArithmeticException e)
{
throw new IllegalArgumentException("Invalid clientRequestErrorVerbosityLevel: " + clientReqErrVerbosityBigInt, e);
}
......@@ -401,7 +410,8 @@ public final class PdpEngineConfiguration
if (inoutProcChains.isEmpty())
{
this.ioProcChainsByInputType = Collections.emptyMap();
} else
}
else
{
final Map<Class<?>, Entry<DecisionRequestPreprocessor<?, ?>, DecisionResultPostprocessor<?, ?>>> mutableInoutProcChainsByInputType = HashCollections
.newUpdatableMap(inoutProcChains.size());
......@@ -414,7 +424,8 @@ public final class PdpEngineConfiguration
if (resultPostprocId == null)
{
decisionResultPostproc = null;
} else
}
else
{
final DecisionResultPostprocessor.Factory<?, ?> resultPostprocFactory = PdpExtensions.getExtension(DecisionResultPostprocessor.Factory.class, resultPostprocId);
decisionResultPostproc = resultPostprocFactory.getInstance(clientReqErrVerbosityLevel);
......@@ -464,7 +475,8 @@ public final class PdpEngineConfiguration
try
{
pdpJaxbConf = modelHandler.unmarshal(confXmlSrc, Pdp.class);
} catch (final JAXBException e)
}
catch (final JAXBException e)
{
throw new IllegalArgumentException("Invalid PDP configuration file", e);
}
......@@ -546,7 +558,8 @@ public final class PdpEngineConfiguration
{
final File confFile = ResourceUtils.getFile(confLocation);
return getInstance(confFile, modelHandler);
} catch (final FileNotFoundException e)
}
catch (final FileNotFoundException e)
{
if (LOGGER.isInfoEnabled())
{
......@@ -563,7 +576,8 @@ public final class PdpEngineConfiguration
try
{
confUrl = ResourceUtils.getURL(confLocation);
} catch (final FileNotFoundException e)
}
catch (final FileNotFoundException e)
{
throw new IllegalArgumentException("Invalid PDP configuration location (neither a file in the file system nor a valid URL): " +