Skip to content
  • cdanger's avatar
    - Added support of OASIS XACML Committee's 2.0 version of conformance · 438ce239
    cdanger authored
    tests upgraded to conform to the XACML 3.0 standard. Most of them have
    been submitted to the OASIS XACML Committee in April 2014 by AT&T.
    The original files are available on the xacml-comment mailing list: 
    https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html
    and on AT&T's Github repository (MIT License): 
    https://github.com/att/XACML/wiki/XACML-TEST-Project-Information
    except IIA010, IIA012, IIA024, IID029, IID030 and III.C (test 1 is the
    only one support in this latter category)
    - Added feature with unit test: Policy Reference depth control and
    circular reference detection
    - Added feature with unit test: Variable Reference depth control and
    circular reference detection
    - Added option to enable/disable XPath support (xpathExpression
    datatype, AttributeSelector and xpath functions)
    - Added support of xpathExpressions in Request with support of
    namespace-prefix mappings extracted from XML document
    (...xmlns:prefix="uri"...) where the xpathExpression is defined, i.e.
    XACML Request or Policy(Set), in native policy finders
    - Added support of xpath-node-count function (optional XACML feature)
    - Added support of optional XACML features: RequestDefaults/XPathVersion
    for evaluation of xpathExpressions in Request, and ReturnPolicyIdList to
    return identifiers of policies found applicable for the Request
    - New modes of request parsing/filtering for enforce best practices and
    tweak performances of Request processing:
    1) strictAttributeIssuerMatch: parsing so that AttributeDesignator
    without Issuer only match request Attributes without Issuer (better
    performance if all Attributes have an Issuer which is recommended, but
    not fully XACML (§5.29) compliant)
    2) allowAttributeDuplicates: allow defining multi-valued attributes by
    repeating the same XACML Attribute (same AttributeId) within a XACML
    Attributes element (same Category). Indeed, not allowing this is not
    fully compliant with the XACML spec according to a discussion on the
    xacml-dev mailing list (see {@linkplain
    "https://lists.oasis-open.org/archives/xacml-dev/201507/msg00001.html"}),
    referring to the XACML 3.0  core spec, §7.3.3, that indicates that
    multiple occurrences of the same <Attribute> with same meta-data
    but different values should be considered equivalent to a single
    <Attribute> element with same meta-data and merged values
    (multi-valued Attribute). Moreover, the XACML 3.0 conformance test
    'IIIA024' expects this behavior: the multiple subject-id Attributes are
    expected to result in a multi-value bag during evaluation of the
    <AttributeDesignator>. Setting this parameter to {@code false} is
    not fully compliant, but provides better performance, especially if you
    know the Requests to be well-formed, i.e. all AttributeValues of a given
    Attribute are grouped together in the same <Attribute> element.
    Combined with strictAttributeIssuerMatch == true, this is the most
    efficient alternative (although not fully compliant).
    - Fixed non-compliance of Request Content parsing for XPath eval (use
    the single child element of Content node as XML input doc to XPath eval,
    NOT the Content node itself) -> removed useless need of JAXBContext and
    creating JAXBSource for parsing into XDMnode -> perf improved
    - Fixed AttributeSelector evaluation for XPath to XML attribute value
    (return the attribute value as a string instead of an Attribute
    node/entry "attributeName=attributeValue"
    - Fixed VariableReferenceDepth control (reference chain was not updated
    properly)
    - Fixed PolicySetIdReference Depth control (reference chain was not
    updated properly)
    - Use of new immutable version of xacml-model where all XACML/JAXB
    objects are immutable -> significant changes in way to create these
    objects during evaluation, esp. Obligations and Advices
    - Fix ordering of obligations/advices when merging a given Policy(Set)'s
    obligations/advices with the child elements' (Policy/Rule) ones
    - Fixed static pre-eval on <Apply> with xpathExpression (should not
    pre-eval statically, i.e. out of context, since xpathExpression value
    depends on context
    - Replaced RELEASE-NOTES.md with CHANGELOG.md to adopt conventions from
    keepachangelog.com
    - Improved unit tests: ability to plug the TestAttributeProviderModule
    configured with a file XXXAttributeProvider.xml to the PDP for specific
    tests, also to plug referenced Policies for the RefPolicyFinder of the
    PDP with 'refPolicies' directory containing Policy(Set)files; and
    ability to test for Policy or Request syntax error checking only (no
    Request evaluation by PDP)
    - Improved test class TestUtils to create a PDP instance with XPath
    support disabled/enabled and specific request filter ID on the PDP
    - Improved TestAttributeProviderModule supports any static configuration
    of Attributes (with contant values); same format as in XACML Requests
    - Removed license header of Apache2 (replaced with GPL)
    - Removed NOTICE.txt obsolete ("Apache AuthZForce" does not exist)
    - Conformance tests split in 'mandatory' and 'optional' folder to
    distinguish XACML mandatory feature from optional feature testing
    - Change logback dependency scope from 'compile' to 'test' as we need it
    only for tests, not for compiling -> simplifies dependencies
    - Replaced dependency spring-xml (obsolete) with spring-core because we
    only use org.springframework.util.* -> simplifies dependencies 
    - Fix header plugin that was missing path to header license, and
    'format' goals
    - Refactor - extracted PDP interface and moved default implementation to
    PDPImpl class, to hide internals from potential PDP API client and
    improve genericity
    - Refactor - extracted RequestFilter interface from abstract class and
    moved abstract class code to BaseRequestFilter class to hide internals
    from potential RequestFilter API client and improve genericity; and to
    merge common code between DefaultRequestFilter and
    MultiDecisionRequestFilter
    - Refactor - extracted IndividualDecisionRequest interface from abstract
    class and moved abstract class code to MutableIndividualDecisionRequest
    and ImmutableIndividualDecisionRequest classes, to hide internals from
    potential RequestFilter API client and improve genericity
    - Made BasePdpExtensionRegistry mutable to allow adding extensions after
    creating instance from an exiting one
    - DecisionResult renamed to more explicit name PolicyDecisionResult
    - Moved old README content to another project (rest-service) since does
    not apply anymore, and replaced with proper content.
    438ce239