Commit d44ca48c authored by cdanger's avatar cdanger
Browse files

Added support of Multiple Decision Profile with XACML/JSON Profile

parent 3bd192a8
......@@ -17,37 +17,22 @@
*/
package org.ow2.authzforce.core.pdp.impl.io;
import java.util.ArrayDeque;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Queue;
import java.util.Set;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import net.sf.saxon.s9api.XdmNode;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import org.ow2.authzforce.core.pdp.api.AttributeFqn;
import org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor;
import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.ImmutableDecisionRequest;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.io.BaseXacmlJaxbRequestPreprocessor;
import org.ow2.authzforce.core.pdp.api.io.IndividualXacmlJaxbRequest;
import org.ow2.authzforce.core.pdp.api.io.SingleCategoryAttributes;
import org.ow2.authzforce.core.pdp.api.io.MultipleXacmlRequestPreprocHelper;
import org.ow2.authzforce.core.pdp.api.io.SingleCategoryXacmlAttributesParser;
import org.ow2.authzforce.core.pdp.api.value.AttributeBag;
import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry;
import org.ow2.authzforce.xacml.identifiers.XacmlStatusCode;
import com.google.common.collect.ImmutableList;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
/**
* XACML/XML Request preprocessor implementing Multiple Decision Profile, section 2.3 (repeated attribute categories). Other schemes are not supported.
......@@ -56,114 +41,20 @@ import com.google.common.collect.ImmutableList;
*/
public final class MultiDecisionXacmlJaxbRequestPreprocessor extends BaseXacmlJaxbRequestPreprocessor
{
/**
* (Mutable) {@link IndividualXacmlJaxbRequest} builder
*
* @version $Id: $
*/
private static final class IndividualXacmlJaxbRequestBuilder
private static final MultipleXacmlRequestPreprocHelper<IndividualXacmlJaxbRequest, Attributes, Attributes> MDP_PREPROC_HELPER = new MultipleXacmlRequestPreprocHelper<IndividualXacmlJaxbRequest, Attributes, Attributes>(
(pdpEngineIndividualRequest, inputAttributeCategory) -> new IndividualXacmlJaxbRequest(pdpEngineIndividualRequest, inputAttributeCategory))
{
private static final IllegalArgumentException UNDEF_ATTRIBUTES_EXCEPTION = new IllegalArgumentException("Undefined attributes");
private static final IllegalArgumentException UNDEF_ATTRIBUTE_CATEGORY_EXCEPTION = new IllegalArgumentException("Undefined attribute category");
// initialized not null by constructors
private final Map<AttributeFqn, AttributeBag<?>> namedAttributes;
private final Map<String, XdmNode> contentNodesByCategory;
private final List<Attributes> attributesToIncludeInResult;
private final boolean isApplicablePolicyIdListReturned;
/**
* Creates empty request (no attribute)
*
* @param returnPolicyIdList
* equivalent of XACML ReturnPolicyIdList
*/
private IndividualXacmlJaxbRequestBuilder(final boolean returnPolicyIdList)
{
// these maps/lists may be updated later by put(...) method defined in this class
namedAttributes = HashCollections.newUpdatableMap();
contentNodesByCategory = HashCollections.newUpdatableMap();
attributesToIncludeInResult = new ArrayList<>();
isApplicablePolicyIdListReturned = returnPolicyIdList;
}
/**
* Create new instance as a clone of an existing request.
*
* @param baseRequest
* replicated existing request. Further changes to it are not reflected back to this new instance.
*/
private IndividualXacmlJaxbRequestBuilder(final IndividualXacmlJaxbRequestBuilder baseRequest)
{
assert baseRequest != null;
// these maps/lists may be updated later by put(...) method defined in this class
namedAttributes = HashCollections.newUpdatableMap(baseRequest.namedAttributes);
contentNodesByCategory = HashCollections.newUpdatableMap(baseRequest.contentNodesByCategory);
isApplicablePolicyIdListReturned = baseRequest.isApplicablePolicyIdListReturned;
attributesToIncludeInResult = new ArrayList<>(baseRequest.attributesToIncludeInResult);
}
/**
* Put attributes of a specific category in request.
*
* @param categoryName
* category URI
* @param categorySpecificAttributes
* attributes in category {@code categoryName}
* @throws java.lang.IllegalArgumentException
* if {@code categoryName == null || categorySpecificAttributes == null} or duplicate attribute category (this method was already called with same {@code categoryName})
*/
private void put(final String categoryName, final SingleCategoryAttributes<?, Attributes> categorySpecificAttributes) throws IllegalArgumentException
@Override
protected Attributes validate(final Attributes inputRawAttributeCategoryObject) throws IndeterminateEvaluationException
{
if (categoryName == null)
{
throw UNDEF_ATTRIBUTE_CATEGORY_EXCEPTION;
}
if (categorySpecificAttributes == null)
{
throw UNDEF_ATTRIBUTES_EXCEPTION;
}
// extraContentsByCategory initialized not null by constructors
assert contentNodesByCategory != null;
final XdmNode newContentNode = categorySpecificAttributes.getExtraContent();
if (newContentNode != null)
{
final XdmNode duplicate = contentNodesByCategory.putIfAbsent(categoryName, newContentNode);
if (duplicate != null)
{
throw new IllegalArgumentException("Duplicate Attributes[@Category] in Individual Decision Request (not allowed): " + categoryName);
}
}
/*
* Convert growable (therefore mutable) bag of attribute values to immutable ones. Indeed, we must guarantee that attribute values remain constant during the evaluation of the request, as
* mandated by the XACML spec, section 7.3.5: <p> <i>
* "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated in the context before it is first tested, and is thereafter immutable during evaluation. (That is, every subsequent test of that attribute shall use the same bag of values that was initially tested.)"
* </i></p>
* Same type as input/output, nothing to do.
*/
for (final Entry<AttributeFqn, AttributeBag<?>> attrEntry : categorySpecificAttributes)
{
namedAttributes.put(attrEntry.getKey(), attrEntry.getValue());
}
final Attributes catSpecificAttrsToIncludeInResult = categorySpecificAttributes.getAttributesToIncludeInResult();
if (catSpecificAttrsToIncludeInResult != null)
{
attributesToIncludeInResult.add(catSpecificAttrsToIncludeInResult);
}
return inputRawAttributeCategoryObject;
}
private IndividualXacmlJaxbRequest build()
{
return new IndividualXacmlJaxbRequest(ImmutableDecisionRequest.getInstance(this.namedAttributes, this.contentNodesByCategory, this.isApplicablePolicyIdListReturned),
ImmutableList.copyOf(this.attributesToIncludeInResult));
}
}
};
/**
*
......@@ -188,7 +79,7 @@ public final class MultiDecisionXacmlJaxbRequestPreprocessor extends BaseXacmlJa
@Override
public DecisionRequestPreprocessor<Request, IndividualXacmlJaxbRequest> getInstance(final AttributeValueFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch,
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
{
return new MultiDecisionXacmlJaxbRequestPreprocessor(datatypeFactoryRegistry, strictAttributeIssuerMatch, true, requireContentForXPath, xmlProcessor, extraPdpFeatures);
}
......@@ -217,14 +108,14 @@ public final class MultiDecisionXacmlJaxbRequestPreprocessor extends BaseXacmlJa
@Override
public DecisionRequestPreprocessor<Request, IndividualXacmlJaxbRequest> getInstance(final AttributeValueFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch,
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
{
return new MultiDecisionXacmlJaxbRequestPreprocessor(datatypeFactoryRegistry, strictAttributeIssuerMatch, false, requireContentForXPath, xmlProcessor, extraPdpFeatures);
}
}
private MultiDecisionXacmlJaxbRequestPreprocessor(final AttributeValueFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch, final boolean allowAttributeDuplicates,
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
{
super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, xmlProcessor, extraPdpFeatures);
}
......@@ -232,122 +123,9 @@ public final class MultiDecisionXacmlJaxbRequestPreprocessor extends BaseXacmlJa
/** {@inheritDoc} */
@Override
public List<IndividualXacmlJaxbRequest> process(final List<Attributes> attributesList, final SingleCategoryXacmlAttributesParser<Attributes> xacmlAttrsParser,
final boolean isApplicablePolicyIdListReturned, final boolean combinedDecision, final XPathCompiler xPathCompiler, final Map<String, String> namespaceURIsByPrefix)
throws IndeterminateEvaluationException
final boolean isApplicablePolicyIdListReturned, final boolean combinedDecision, final XPathCompiler xPathCompiler, final Map<String, String> namespaceURIsByPrefix)
throws IndeterminateEvaluationException
{
/*
* Parse Request attributes and group possibly repeated categories to implement Multiple Decision Profile, §2.3.
*/
/*
* We would like that the order of attributes (more particularly attribute categories) included in the result be in the same order as in the request (more particularly, attribute categories in
* order of first occurrence in the case of Multiple Decision Request); because "Clients generally appreciate having things returned in the same order they were presented." (See Java
* LinkedHashMap javadoc description.) Therefore, we use a LinkedHashMap for the Map<CategoryName,Attributes> below. If the impact on performance proves to be too negative, we might switch to
* a simpler Map implementation not preserving iteration order. Unfortunately, Koloboke - that we are using as HashMap alternative to JDK - does not support LinkedHashMap equivalent at the
* moment: https://github.com/leventov/Koloboke/issues/47 (we should keep an eye on it). So until this resolved, we use JDK LinkedHashMap.
*/
final Map<String, Queue<SingleCategoryAttributes<?, Attributes>>> multiReqAttrAlternativesByCategory = new LinkedHashMap<>();
for (final Attributes jaxbAttributes : attributesList)
{
final SingleCategoryAttributes<?, Attributes> categoryAttributesAlternative = xacmlAttrsParser.parseAttributes(jaxbAttributes, xPathCompiler);
if (categoryAttributesAlternative == null)
{
// skip this empty Attributes
continue;
}
final String categoryId = categoryAttributesAlternative.getCategoryId();
final Queue<SingleCategoryAttributes<?, Attributes>> oldAttrAlternatives = multiReqAttrAlternativesByCategory.get(categoryId);
final Queue<SingleCategoryAttributes<?, Attributes>> newAttrAlternatives;
if (oldAttrAlternatives == null)
{
newAttrAlternatives = new ArrayDeque<>();
multiReqAttrAlternativesByCategory.put(categoryId, newAttrAlternatives);
}
else
{
newAttrAlternatives = oldAttrAlternatives;
}
newAttrAlternatives.add(categoryAttributesAlternative);
}
/*
* Create mutable initial individual request from which all others will be created/cloned
*/
// returnPolicyIdList not supported so always set to false
final IndividualXacmlJaxbRequestBuilder initialIndividualReqBuilder;
try
{
initialIndividualReqBuilder = new IndividualXacmlJaxbRequestBuilder(isApplicablePolicyIdListReturned);
}
catch (final IllegalArgumentException e)
{
throw new IndeterminateEvaluationException("Invalid RequestDefaults/XPathVersion", XacmlStatusCode.SYNTAX_ERROR.value(), e);
}
/*
* Generate the Multiple Individual Decision Requests starting with initialIndividualReq and cloning/adding new attributes/content for each new attribute category's Attributes alternative in
* requestAttrAlternativesByCategory
*/
/*
* XACML Multiple Decision Profile, § 2.3.3: "For each combination of repeated <Attributes> elements, one Individual Decision Request SHALL be created. This Individual Request SHALL be
* identical to the original request context with one exception: only one <Attributes> element of each repeated category SHALL be present."
*/
final List<IndividualXacmlJaxbRequestBuilder> individualRequestBuilders = new ArrayList<>();
individualRequestBuilders.add(initialIndividualReqBuilder);
/*
* In order to create the final individual decision requests, for each attribute category, add each alternative to individual request builders
*/
final List<IndividualXacmlJaxbRequest> finalIndividualRequests = new ArrayList<>();
/*
* As explained at the beginning of the method, at this point, we want to make sure that entries are returned in the same order (of first occurrence in the case of Multiple Decision Request)
* as the categories in the request, where each category matches the key in the entry; because "Clients generally appreciate having things returned in the same order they were presented." So
* the map should guarantee that the iteration order is the same as insertion order used previously (e.g. LinkedHashMap).
*/
final Iterator<Entry<String, Queue<SingleCategoryAttributes<?, Attributes>>>> multiReqAttrAlternativesByCategoryIterator = multiReqAttrAlternativesByCategory.entrySet().iterator();
boolean isLastCategory = !multiReqAttrAlternativesByCategoryIterator.hasNext();
while (!isLastCategory)
{
final Entry<String, Queue<SingleCategoryAttributes<?, Attributes>>> multiReqAttrAlternativesByCategoryEntry = multiReqAttrAlternativesByCategoryIterator.next();
final String categoryName = multiReqAttrAlternativesByCategoryEntry.getKey();
final Queue<SingleCategoryAttributes<?, Attributes>> categorySpecificAlternatives = multiReqAttrAlternativesByCategoryEntry.getValue();
isLastCategory = !multiReqAttrAlternativesByCategoryIterator.hasNext();
final ListIterator<IndividualXacmlJaxbRequestBuilder> individualRequestsIterator = individualRequestBuilders.listIterator();
while (individualRequestsIterator.hasNext())
{
final IndividualXacmlJaxbRequestBuilder oldIndividualReqBuilder = individualRequestsIterator.next();
/*
* New newIndividualReqBuilders created below from this $oldIndividualReqBuilder will replace it in the list of $individualRequestBuilders (and will be used in their turn as
* $oldIndividualReqBuilders). So remove current $oldIndividualReqBuilder from the list
*/
individualRequestsIterator.remove();
/*
* Before we add the first category alternative (categoryAlternative0) to the oldReq already created (the "old" one), we clone it for every other alternative, then add this other
* alternative to the new clone. Note that we called categoryAlternatives.poll() before, removing the first alternative, so categoryAlternatives only contains the other alternatives
* now.
*/
for (final SingleCategoryAttributes<?, Attributes> otherCategoryAlternative : categorySpecificAlternatives)
{
// clone the request
final IndividualXacmlJaxbRequestBuilder newIndividualReqBuilder = new IndividualXacmlJaxbRequestBuilder(oldIndividualReqBuilder);
newIndividualReqBuilder.put(categoryName, otherCategoryAlternative);
if (isLastCategory)
{
// we can finalize the request build
finalIndividualRequests.add(newIndividualReqBuilder.build());
}
else
{
/*
* add the new request builder to the list of builders for the next round
*/
individualRequestsIterator.add(newIndividualReqBuilder);
}
}
}
}
return finalIndividualRequests;
return MDP_PREPROC_HELPER.process(attributesList, xacmlAttrsParser, isApplicablePolicyIdListReturned, combinedDecision, xPathCompiler, namespaceURIsByPrefix);
}
}
/**
* Copyright 2012-2019 THALES.
*
* This file is part of AuthzForce CE.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.ow2.authzforce.core.pdp.io.xacml.json;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.json.JSONArray;
import org.json.JSONObject;
import org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.io.MultipleXacmlRequestPreprocHelper;
import org.ow2.authzforce.core.pdp.api.io.SingleCategoryXacmlAttributesParser;
import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry;
import org.ow2.authzforce.xacml.identifiers.XacmlStatusCode;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
/**
* XACML/JSON - according to XACML JSON Profile - Request preprocessor implementing Multiple Decision Profile, section 2.3 (repeated attribute categories). Other schemes are not supported.
*
* @version $Id: $
*/
public final class MultipleDecisionXacmlJsonRequestPreprocessor extends BaseXacmlJsonRequestPreprocessor
{
private static final IndeterminateEvaluationException INVALID_REQUEST_CATEGORY_ARRAY_ELEMENT_TYPE_EXCEPTION = new IndeterminateEvaluationException(
"Invalid Request/Category array: the type of one of the items is invalid (not JSON object as expected)", XacmlStatusCode.SYNTAX_ERROR.value());
private static final MultipleXacmlRequestPreprocHelper<IndividualXacmlJsonRequest, Object, JSONObject> MDP_PREPROC_HELPER = new MultipleXacmlRequestPreprocHelper<IndividualXacmlJsonRequest, Object, JSONObject>(
(pdpEngineIndividualRequest, inputAttributeCategory) -> new IndividualXacmlJsonRequest(pdpEngineIndividualRequest, inputAttributeCategory))
{
@Override
protected JSONObject validate(final Object inputRawAttributeCategoryObject) throws IndeterminateEvaluationException
{
if (!(inputRawAttributeCategoryObject instanceof JSONObject))
{
throw INVALID_REQUEST_CATEGORY_ARRAY_ELEMENT_TYPE_EXCEPTION;
}
return (JSONObject) inputRawAttributeCategoryObject;
}
};
/**
*
* Factory for this type of request preprocessor that allows duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request (complying with XACML 3.0 core
* spec, §7.3.3) but using JSON-Profile-defined format.
*
*/
public static final class LaxVariantFactory extends BaseXacmlJsonRequestPreprocessor.Factory
{
/**
* Request preprocessor ID, as returned by {@link #getId()}
*/
public static final String ID = "urn:ow2:authzforce:feature:pdp:request-preproc:xacml-json:multiple:repeated-attribute-categories-lax";
/**
* Constructor
*/
public LaxVariantFactory()
{
super(ID);
}
@Override
public DecisionRequestPreprocessor<JSONObject, IndividualXacmlJsonRequest> getInstance(final AttributeValueFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch,
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
{
return new MultipleDecisionXacmlJsonRequestPreprocessor(datatypeFactoryRegistry, strictAttributeIssuerMatch, true, requireContentForXPath/* , xmlProcessor */, extraPdpFeatures);
}
}
/**
*
* Factory for this type of request preprocessor that does NOT allow duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request (NOT complying fully with
* XACML 3.0 core spec, §7.3.3) but using JSON-Profile-defined format.
*
*/
public static final class StrictVariantFactory extends BaseXacmlJsonRequestPreprocessor.Factory
{
/**
* Request preprocessor ID, as returned by {@link #getId()}
*/
public static final String ID = "urn:ow2:authzforce:feature:pdp:request-preproc:xacml-json:multiple:repeated-attribute-categories-strict";
/**
* Constructor
*/
public StrictVariantFactory()
{
super(ID);
}
@Override
public DecisionRequestPreprocessor<JSONObject, IndividualXacmlJsonRequest> getInstance(final AttributeValueFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch,
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
{
return new MultipleDecisionXacmlJsonRequestPreprocessor(datatypeFactoryRegistry, strictAttributeIssuerMatch, false, requireContentForXPath/* , xmlProcessor */, extraPdpFeatures);
}
}
/**
* Creates instance of default request preprocessor
*
* @param datatypeFactoryRegistry
* attribute datatype registry
* @param strictAttributeIssuerMatch
* true iff strict attribute Issuer match must be enforced (in particular request attributes with empty Issuer only match corresponding AttributeDesignators with empty Issuer)
* @param allowAttributeDuplicates
* true iff duplicate Attribute (with same metadata) elements in Request (for multi-valued attributes) must be allowed
* @param requireContentForXPath
* true iff Content elements must be parsed, else ignored
* @param extraPdpFeatures
* extra - not mandatory per XACML 3.0 core specification - features supported by the PDP engine. This preprocessor checks whether it is supported by the PDP before processing the
* request further.
*/
public MultipleDecisionXacmlJsonRequestPreprocessor(final AttributeValueFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch, final boolean allowAttributeDuplicates,
final boolean requireContentForXPath/* , final Processor xmlProcessor */, final Set<String> extraPdpFeatures)
{
super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, /* xmlProcessor, */extraPdpFeatures);
}
@Override
public List<IndividualXacmlJsonRequest> process(final JSONArray jsonArrayOfRequestAttributeCategoryObjects, final SingleCategoryXacmlAttributesParser<JSONObject> xacmlAttrsParser,
final boolean isApplicablePolicyIdListReturned, final boolean combinedDecision, final XPathCompiler xPathCompiler, final Map<String, String> namespaceURIsByPrefix)
throws IndeterminateEvaluationException
{
return MDP_PREPROC_HELPER.process(jsonArrayOfRequestAttributeCategoryObjects, xacmlAttrsParser, isApplicablePolicyIdListReturned, combinedDecision, xPathCompiler, namespaceURIsByPrefix);
}
}
......@@ -24,10 +24,6 @@ import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import net.sf.saxon.s9api.XdmNode;
import org.json.JSONArray;
import org.json.JSONObject;
import org.ow2.authzforce.core.pdp.api.AttributeFqn;
......@@ -44,24 +40,21 @@ import org.ow2.authzforce.xacml.identifiers.XacmlStatusCode;
import com.google.common.collect.ImmutableList;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import net.sf.saxon.s9api.XdmNode;
/**
* Default XACML/JSON - according to XACML JSON Proifle - Request preprocessor for Individual Decision Requests only (no support of Multiple Decision Profile in particular)
* Default XACML/JSON - according to XACML JSON Profile - Request preprocessor for Individual Decision Requests only (no support of Multiple Decision Profile in particular)
*
* @version $Id: $
*/
public final class SingleDecisionXacmlJsonRequestPreprocessor extends BaseXacmlJsonRequestPreprocessor
{
private static final IndeterminateEvaluationException INVALID_REQUEST_CATEGORY_ARRAY_ELEMENT_TYPE_EXCEPTION = new IndeterminateEvaluationException(
"Invalid Request/Category array: the type of one of the items is invalid (not JSON object as expected)", XacmlStatusCode.SYNTAX_ERROR.value());
private static final DecisionRequestFactory<ImmutableDecisionRequest> DEFAULT_REQUEST_FACTORY = new DecisionRequestFactory<ImmutableDecisionRequest>()
{
@Override
public ImmutableDecisionRequest getInstance(final Map<AttributeFqn, AttributeBag<?>> namedAttributes, final Map<String, XdmNode> extraContentsByCategory, final boolean returnApplicablePolicies)
{
return ImmutableDecisionRequest.getInstance(namedAttributes, extraContentsByCategory, returnApplicablePolicies);
}
};
"Invalid Request/Category array: the type of one of the items is invalid (not JSON object as expected)", XacmlStatusCode.SYNTAX_ERROR.value());
private static final DecisionRequestFactory<ImmutableDecisionRequest> DEFAULT_REQUEST_FACTORY = (namedAttributes, extraContentsByCategory, returnApplicablePolicies) -> ImmutableDecisionRequest
.getInstance(namedAttributes, extraContentsByCategory, returnApplicablePolicies);
/**
*
......@@ -86,10 +79,10 @@ public final class SingleDecisionXacmlJsonRequestPreprocessor extends BaseXacmlJ
@Override
public DecisionRequestPreprocessor<JSONObject, IndividualXacmlJsonRequest> getInstance(final AttributeValueFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch,
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
{
return new SingleDecisionXacmlJsonRequestPreprocessor(datatypeFactoryRegistry, DEFAULT_REQUEST_FACTORY, strictAttributeIssuerMatch, true, requireContentForXPath/* , xmlProcessor */,
extraPdpFeatures);
extraPdpFeatures);
}
/**
......@@ -122,10 +115,10 @@ public final class SingleDecisionXacmlJsonRequestPreprocessor extends BaseXacmlJ
@Override
public DecisionRequestPreprocessor<JSONObject, IndividualXacmlJsonRequest> getInstance(final AttributeValueFactoryRegistry datatypeFactoryRegistry, final boolean strictAttributeIssuerMatch,
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
final boolean requireContentForXPath, final Processor xmlProcessor, final Set<String> extraPdpFeatures)
{
return new SingleDecisionXacmlJsonRequestPreprocessor(datatypeFactoryRegistry, DEFAULT_REQUEST_FACTORY, strictAttributeIssuerMatch, false, requireContentForXPath/* , xmlProcessor */,
extraPdpFeatures);
extraPdpFeatures);
}
}
......@@ -149,7 +142,8 @@ public final class SingleDecisionXacmlJsonRequestPreprocessor extends BaseXacmlJ
* request further.
*/
public SingleDecisionXacmlJsonRequestPreprocessor(final AttributeValueFactoryRegistry datatypeFactoryRegistry, final DecisionRequestFactory<ImmutableDecisionRequest> requestFactory,
final boolean strictAttributeIssuerMatch, final boolean allowAttributeDuplicates, final boolean requireContentForXPath/* , final Processor xmlProcessor */, final Set<String> extraPdpFeatures)
final boolean strictAttributeIssuerMatch, final boolean allowAttributeDuplicates, final boolean requireContentForXPath/* , final Processor xmlProcessor */,
final Set<String> extraPdpFeatures)
{
super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, /* xmlProcessor, */extraPdpFeatures);
assert requestFactory != null;
......@@ -158,8 +152,8 @@ public final class SingleDecisionXacmlJsonRequestPreprocessor extends BaseXacmlJ
@Override
public List<IndividualXacmlJsonRequest> process(final JSONArray jsonArrayOfRequestAttributeCategoryObjects, final SingleCategoryXacmlAttributesParser<JSONObject> xacmlAttrsParser,
final boolean isApplicablePolicyIdListReturned, final boolean combinedDecision, final XPathCompiler xPathCompiler, final Map<String, String> namespaceURIsByPrefix)
throws IndeterminateEvaluationException
final boolean isApplicablePolicyIdListReturned, final boolean combinedDecision, final XPathCompiler xPathCompiler, final Map<String, String> namespaceURIsByPrefix)
throws IndeterminateEvaluationException
{