Commit 015c5b3b authored by cdanger's avatar cdanger

Merge branch 'release/13.3.0'

parents a0d846f5 ea8e3de4
......@@ -7,6 +7,26 @@ All notable changes to this project are documented in this file following the [K
- Issues reported on [OW2's GitLab](https://gitlab.ow2.org/authzforce/core/issues) are referenced in the form of `[GL-N]`, where N is the issue number.
## 13.3.0
### Changed
- Maven parent project version: 7.5.0
- Maven dependencies:
- authzforce-ce-core-pdp-api: 15.3.0
- Guava: 24.1.1-jre
- jaxb2-basics: 1.11.1
- mailapi replaced with javax.mail-api: 1.6.0
- Spring: 4.3.18 (fixes CVE)
- authzforce-ce-xacml-json-model: 2.0.0
- Copyright company name
### Added
- Dependency: javax.mail 1.6.0 (mail-api implementation for XACML RFC822Name support)
- Feature:
- DefaultEnvironmentProperties#replacePlaceholders() method now supports system properties and environment variables.
- 'policyLocation' elements in PDP's Policy Providers configuration now supports (not only PARENT_DIR property but also) system
properties and environment variables (enclosed between '${...}') with default value if property/variable undefined.
## 13.2.0
### Changed
- Maven dependency versions:
......
[![Codacy Badge](https://api.codacy.com/project/badge/Grade/dee3e6f5cdd240fc80dfdcc1ee419ac8)](https://www.codacy.com/app/coder103/authzforce-ce-core?utm_source=github.com&utm_medium=referral&utm_content=authzforce/core&utm_campaign=Badge_Grade)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/389/badge)](https://bestpractices.coreinfrastructure.org/projects/389)
[![Build Status](https://travis-ci.org/authzforce/core.svg?branch=develop)](https://travis-ci.org/authzforce/core)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fauthzforce%2Fcore.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fauthzforce%2Fcore?ref=badge_shield)
Javadocs: PDP engine [![Javadocs](http://javadoc.io/badge/org.ow2.authzforce/authzforce-ce-core-pdp-engine.svg)](http://javadoc.io/doc/org.ow2.authzforce/authzforce-ce-core-pdp-engine), XACML/JSON extension [![Javadocs](http://javadoc.io/badge/org.ow2.authzforce/authzforce-ce-core-pdp-io-xacml-json.svg)](http://javadoc.io/doc/org.ow2.authzforce/authzforce-ce-core-pdp-io-xacml-json), Test utilities [![Javadocs](http://javadoc.io/badge/org.ow2.authzforce/authzforce-ce-core-pdp-testutils.svg)](http://javadoc.io/doc/org.ow2.authzforce/authzforce-ce-core-pdp-testutils)
......@@ -68,6 +70,9 @@ See the [change log](CHANGELOG.md) following the *Keep a CHANGELOG* [conventions
See the [license file](LICENSE).
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fauthzforce%2Fcore.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fauthzforce%2Fcore?ref=badge_large)
## System requirements
Java (JRE) 8 or later.
......@@ -84,20 +89,20 @@ Get the [latest executable jar from Maven Central](http://central.maven.org/mave
$ chmod a+x authzforce-ce-core-pdp-cli-13.0.0.jar
```
Copy the content of [that folder](pdp-cli/src/test/resources/conformance/xacml-3.0-core/mandatory) to the same directory, and run the executable as follows:
To give you an example on how to test a XACML Policy (or PolicySet) and Request, you may copy the content of [that folder](pdp-cli/src/test/resources/conformance/xacml-3.0-core/mandatory) to the same directory as the executable, and run the executable as follows:
```
$ ./authzforce-ce-core-pdp-cli-13.0.0.jar pdp.xml IIA001/Request.xml
```
* `pdp.xml`: PDP configuration file, that defines the location(s) of XACML policy(ies), among other PDP engine parameters; the content of this file is a XML document compliant with the PDP configuration [XML schema](pdp-engine/src/main/resources/pdp.xsd), so you can read the documentation of every configuration parameter in that schema file;
* `Request.xml`: XACML request in XACML 3.0/XML (core specification) format.
* `pdp.xml`: PDP configuration file, that defines the location(s) of XACML policy(ies), among other PDP engine parameters; the content of this file is a XML document compliant with the PDP configuration [XML schema](pdp-engine/src/main/resources/pdp.xsd), so you can read the documentation of every configuration parameter in that schema file; **Feel free to change the policy location to point to your own for testing.**
* `Request.xml`: XACML request in XACML 3.0/XML (core specification) format. **Feel free to replace with your own for testing.**
If you want to test the JSON Profile of XACML 3.0, run it with extra option `-t XACML_JSON`:
```
$ ./authzforce-ce-core-pdp-cli-13.0.0.jar -t XACML_JSON pdp.xml IIA001/Request.json
```
* `Request.json`: XACML request in XACML 3.0/JSON (Profile) format.
* `Request.json`: XACML request in XACML 3.0/JSON (Profile) format. **Feel free to replace with your own for testing.**
For more info, run it without parameters and you'll get detailed information on usage.
......@@ -233,7 +238,7 @@ If you are using the Java API with extensions configured by XML (Policy Provider
You should use [AuthzForce users' mailing list](https://mail.ow2.org/wws/info/authzforce-users) as first contact for any communication about AuthzForce: question, feature request, notification, potential issue (unconfirmed), etc.
If you are experiencing any bug with this project and you indeed confirm this is not an issue with your environment (contact the users mailing list first if you are unsure), please report it on the [OW2 Issue Tracker](https://jira.ow2.org/browse/AUTHZFORCE/).
If you are experiencing any bug with this project and you indeed confirm this is not an issue with your environment (contact the users mailing list first if you are unsure), please report it on the [OW2 Issue Tracker](https://gitlab.ow2.org/authzforce/core/issues).
Please include as much information as possible; the more we know, the better the chance of a quicker resolution:
* Software version
......@@ -243,7 +248,7 @@ Please include as much information as possible; the more we know, the better the
* Your code & configuration files are often useful.
## Security - Vulnerability reporting
If you want to report a vulnerability, you must do so on the [OW2 Issue Tracker](https://jira.ow2.org/browse/AUTHZFORCE/) with *Security Level* set to **Private**. Then, if the AuthzForce team can confirm it, they will change it to **Public** and set a fix version.
If you want to report a vulnerability, you must do so on the [OW2 Issue Tracker](https://gitlab.ow2.org/authzforce/core/issues) and **make sure the checkbox** *This issue is confidential and should only be visible to team members with at least Reporter access* **is checked when creating the issue**. Then, if the AuthzForce team can confirm it, they will uncheck it to make the issue public.
## Contributing
See [CONTRIBUTING.md](CONTRIBUTING.md).
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: mailapi-1.5.6.jar,
false positive reported: https://github.com/jeremylong/DependencyCheck/issues/912
]]></notes>
<cpe>cpe:/a:mail_project:mail</cpe>
<cpe>cpe:/a:sun:javamail</cpe>
<cve>CVE-2007-6059</cve>
<cve>CVE-2015-9097</cve>
</suppress>
</suppressions>
\ No newline at end of file
<suppress>
<!--See issue #35 on Github -->
<cve>CVE-2018-8088</cve>
</suppress>
</suppressions>
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: mailapi-1.5.6.jar,
false positive reported: https://github.com/jeremylong/DependencyCheck/issues/912
]]></notes>
<cpe>cpe:/a:mail_project:mail</cpe>
<cpe>cpe:/a:sun:javamail</cpe>
<cve>CVE-2007-6059</cve>
<cve>CVE-2015-9097</cve>
</suppress>
</suppressions>
\ No newline at end of file
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>13.2.0</version>
<version>13.3.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-cli</artifactId>
......@@ -30,12 +30,12 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
<version>13.2.0</version>
<version>13.3.0</version>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
<version>13.2.0</version>
<version>13.3.0</version>
</dependency>
<dependency>
<groupId>org.testng</groupId>
......@@ -46,7 +46,7 @@
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
<version>13.2.0</version>
<version>13.3.0</version>
<scope>test</scope>
</dependency>
</dependencies>
......@@ -143,15 +143,14 @@
</executions>
</plugin>
<plugin>
<!-- Override license-maven-plugin configuration to exclude Sunxacml files from adding GPL license headers (different license) -->
<groupId>com.mycila</groupId>
<artifactId>license-maven-plugin</artifactId>
<configuration>
<header>license/alv2-header.txt</header>
<includes>
<include>src/main/java/org/ow2/authzforce/**</include>
<include>src/main/java/**</include>
<!-- Include test files also -->
<include>src/test/java/org/ow2/authzforce/**</include>
<include>src/test/java/**</include>
</includes>
</configuration>
<executions>
......@@ -213,4 +212,4 @@
</plugin>
</plugins>
</build>
</project>
\ No newline at end of file
</project>
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: mailapi-1.5.6.jar,
false positive reported: https://github.com/jeremylong/DependencyCheck/issues/912
]]></notes>
<cpe>cpe:/a:mail_project:mail</cpe>
<cpe>cpe:/a:sun:javamail</cpe>
<cve>CVE-2007-6059</cve>
<cve>CVE-2015-9097</cve>
</suppress>
<suppress>
<!--See issue #35 on Github -->
<cve>CVE-2018-8088</cve>
</suppress>
</suppressions>
\ No newline at end of file
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>13.2.0</version>
<version>13.3.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
......@@ -27,8 +27,13 @@
<artifactId>jcl-over-slf4j</artifactId>
</dependency>
<dependency>
<!-- Needed for org.springframework.util.ResourceUtils,SystemPropertyUtils,FileCopyUtils,
etc. -->
<!-- JavaMail API implementation for XACML RFC822Name datatype -->
<groupId>com.sun.mail</groupId>
<artifactId>javax.mail</artifactId>
<version>1.6.0</version>
</dependency>
<dependency>
<!-- Needed for org.springframework.util.ResourceUtils,SystemPropertyUtils,FileCopyUtils, etc. -->
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</dependency>
......@@ -62,14 +67,11 @@
<build>
<plugins>
<plugin>
<!-- Consider combining with Red Hat Victims and OSS Index. More info
on Victims vs. Dependency-check: https://bugzilla.redhat.com/show_bug.cgi?id=1388712 -->
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<cveValidForHours>24</cveValidForHours>
<!-- The plugin has numerous issues with version matching, which triggers
false positives so we need a "suppresion" file for those. More info: https://github.com/jeremylong/DependencyCheck/issues -->
<!-- The plugin has numerous issues with version matching, which triggers false positives so we need a "suppresion" file for those. More info: https://github.com/jeremylong/DependencyCheck/issues -->
<suppressionFile>owasp-dependency-check-suppression.xml</suppressionFile>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
</configuration>
......@@ -84,8 +86,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<!-- target JDK already set by parent project's maven.compiler.target
property -->
<!-- target JDK already set by parent project's maven.compiler.target property -->
<configuration>
<verbose>true</verbose>
<excludeRoots>
......@@ -120,16 +121,14 @@
</executions>
</plugin>
<plugin>
<!-- Override license-maven-plugin configuration to exclude Sunxacml
files from adding GPL license headers (different license) -->
<groupId>com.mycila</groupId>
<artifactId>license-maven-plugin</artifactId>
<configuration>
<header>license/alv2-header.txt</header>
<includes>
<include>src/main/java/org/ow2/authzforce/**</include>
<include>src/main/java/**</include>
<!-- Include test files also -->
<include>src/test/java/org/ow2/authzforce/**</include>
<include>src/test/java/**</include>
</includes>
</configuration>
<executions>
......@@ -216,11 +215,14 @@
<systemPropertyVariables>
<javax.xml.accessExternalSchema>all</javax.xml.accessExternalSchema>
</systemPropertyVariables>
<environmentVariables>
<!-- Test environment variable for DefaultEnvironmentPropertiesTest class -->
<AUTHZFORCE_DATA_DIR>/tmp/authzforce</AUTHZFORCE_DATA_DIR>
</environmentVariables>
<properties>
<property>
<name>surefire.testng.verbose</name>
<!-- verbosity level from 0 to 10 (10 is the most detailed), or -1
for debug. More info: http://maven.apache.org/surefire/maven-surefire-plugin/examples/testng.html -->
<!-- verbosity level from 0 to 10 (10 is the most detailed), or -1 for debug. More info: http://maven.apache.org/surefire/maven-surefire-plugin/examples/testng.html -->
<value>3</value>
</property>
</properties>
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......@@ -26,23 +26,27 @@ import org.ow2.authzforce.core.pdp.api.EnvironmentPropertyName;
import org.springframework.util.PropertyPlaceholderHelper;
/**
* Default implementation of PDP configuration parser's environment properties.
* Default implementation of PDP configuration parser's environment properties, that supports user-defined properties, Java system properties and system-dependent environment variables.
*
* @version $Id: $
*/
public final class DefaultEnvironmentProperties implements EnvironmentProperties
{
private static final String PROPERTY_PLACEHOLDER_PREFIX = "${";
private static final String PROPERTY_PLACEHOLDER_SUFFIX = "}";
private static final String PROPERTY_PLACEHOLDER_DEFAULT_VALUE_SEPARATOR = ":";
/*
* We cannot use ':' as default value separator because not valid in XML anyURI
*/
private static final String PROPERTY_PLACEHOLDER_DEFAULT_VALUE_SEPARATOR = "!";
private static final PropertyPlaceholderHelper PROPERTY_PLACEHOLDER_HELPER = new PropertyPlaceholderHelper(PROPERTY_PLACEHOLDER_PREFIX, PROPERTY_PLACEHOLDER_SUFFIX,
PROPERTY_PLACEHOLDER_DEFAULT_VALUE_SEPARATOR, false);
PROPERTY_PLACEHOLDER_DEFAULT_VALUE_SEPARATOR, false);
private final Properties props = new Properties();
/**
* Empty properties
* Empty properties. Placeholders are resolved as system properties and environment variables only.
*/
public DefaultEnvironmentProperties()
{
......@@ -50,12 +54,13 @@ public final class DefaultEnvironmentProperties implements EnvironmentProperties
}
/**
* Constructs instance from existing properties in a map
* Constructs instance from existing properties in a map. Placeholders are resolved from {@code envProps} if the property name matches any, else as Java system property if the name matches any,
* else as system environment variables.
*
* @param envProps
* environment properties
* environment properties taking precedence over system properties or environment variables.
*/
public DefaultEnvironmentProperties(Map<EnvironmentPropertyName, String> envProps)
public DefaultEnvironmentProperties(final Map<EnvironmentPropertyName, String> envProps)
{
if (envProps == null)
{
......@@ -73,13 +78,29 @@ public final class DefaultEnvironmentProperties implements EnvironmentProperties
/** {@inheritDoc} */
@Override
public String replacePlaceholders(String input)
public String replacePlaceholders(final String input)
{
if (input == null)
{
return null;
}
return PROPERTY_PLACEHOLDER_HELPER.replacePlaceholders(input, props);
return PROPERTY_PLACEHOLDER_HELPER.replacePlaceholders(input, placeholderName -> {
assert placeholderName != null;
final String userDefinedPropVal = props.getProperty(placeholderName);
if (userDefinedPropVal != null)
{
return userDefinedPropVal;
}
final String sysPropVal = System.getProperty(placeholderName);
if (sysPropVal != null)
{
return sysPropVal;
}
// Fall back to searching the system environment.
return System.getenv(placeholderName);
});
}
}
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
......
/**
* Copyright 2012-2018 Thales Services SAS.
* Copyright 2012-2018 THALES.
*
* This file is part of AuthzForce CE.
*
...