Commit 10f46756 authored by cdanger's avatar cdanger

Merge branch 'release/10.0.0'

parents be259aa9 72188d52
......@@ -4,6 +4,39 @@ All notable changes to this project are documented in this file following the [K
Issues reported on [GitHub](https://github.com/authzforce/core/issues) are referenced in the form of `[GH-N]`, where N is the issue number. Issues reported on [OW2](https://jira.ow2.org/browse/AUTHZFORCE/) are mentioned in the form of `[OW2-N]`, where N is the issue number.
## 10.0.0
### Changed
- Parent project version: 6.0.0 -> 7.0.0:
- Changed managed Spring version: 4.3.6 -> 4.3.12
- Dependency version: core-pdp-api: 11.0.0 ->12.0.0
- Changed PDP configuration XSD: 5.0.0 -> 6.0.0:
- Replaced attribute `badRequestStatusDetailLevel` with `clientRequestErrorVerbosityLevel`
- Replaced attributes `requestFilter` and `resultFilter` with element `ioProcChain` of new type `InOutProcChain` defining a pair of request preprocessor (ex-requestFilter) and result postprocessor (ex-resultFilter)
- Added `maxIntegerValue` attribute allowing to define the expected max integer value to be handled by the PDP engine during evaluation, based on which the engine selects the best Java representation among several (BigInteger, Long, Integer) for memory and CPU usage optimization
- Renamed PDP engine interfaces and base implementations:
* `(Base|Closeable)AttributeProviderModule` -> `(Base|Closeable)DesignatedAttributeProvider`
* `(Base)RequestFilter` -> `(Base)DecisionRequestPreprocessor`
* `DecisionResultFilter` -> `DecisionResultPostprocessor`
* `CloseablePdp` -> `CloseablePdpEngine`
* `(Base|Closeable)(Static)RefPolicyProviderModule` -> `(Base|Closeable)(Static)RefPolicyProvider`
* `RootPolicyProviderModule` -> `RootPolicyProvider`
* `(Base)DatatypeFactory(Registry)` -> `(Base)AttributeValueFactory(Registry)` (using new `AttributeDatatype` subclass of `Datatype`)
- Core PDP engine made agnostic of decision request/response formats, and extensible through `PdpEngineInoutAdapter` interface, and more specifically `DecisionRequestPreprocessor` and `DecisionResultPostprocessor` interfaces, in order to support new types of input/output (SerDes) formats (native implementations provided for XACML 3.0/XML - core specification - using JAXB API, and XACML/JSON - JSON Profile of XACML 3.0)
- Identifiers of native PDP requestFilter/resultFilter (now requestPreproc/resultPostproc) extensions:
- *...:request-filter:...* renamed to *...:request-preproc:xacml-xml:...*
- *...result-filter:...* renamed to *...:result-postproc:xacml-xml:...*
- Replaced `JaxbXacmlUtils` utility class with `Xacml3JaxbHelper` (in authzforce-ce-xacml-model dependency)
- Changed naming convention for Java class names with acronym(s) (only first letter should be uppercase), e.g. PolicyPOJO -> PolicyPojo
### Added
- Module `pdp-io-xacml-json` - XACML JSON Profile implementation: provides PDP extensions for processing (request/result pre/postprocessors) JSON input/output formats defined by JSON Profile of
XACML 3.0, and adapting to the PDP engine API; also provides automatic conversion of OASIS XACML 3.0/XML conformance test to XACML/JSON format (JSON Profile of XACML 3.0) with XSLT.
- Module `pdp-cli`: provides a PDP command-line interface and produces an executable jar allowing to test the PDP engine on the command line
- PDP engine I/O adapter extension mechanism for supporting new input/output formats of decision requests/responses
- `PdpEngineAdapters` utility class to help instantiate PDP engines supporting specific input/output formats
- `PpEngineConfiguration` utility class to help instantiate a PDP engine from a PDP XML configuration file (valid against PDP configuration XSD)
## 9.1.0
### Changed
- MongoDBRefPolicyProviderModule class: removed useless method already implemented by super class BaseStaticRefPolicyProviderModule.
......
## Contributing
### Contribution Rules
### Coding Rules
Follow these Java coding guidelines:
* [Google Java Style Guide](https://google.github.io/styleguide/javaguide.html), except braces must follow the Allman style instead of K & R style;
* *Effective Java, Second Edition*, by Joshua Bloch;
* [Oracle Secure Coding Guidelines for Java SE](http://www.oracle.com/technetwork/java/seccodeguide-139067.html).
### Testing
For every new major functionality, there must be unit tests added to some unit test class that is part of the automated test suite of [pdp-engine's MainTest.java](pdp-engine/src/test/java/org/ow2/authzforce/core/pdp/impl/test/MainTest.java). If the functionality has any impact on XACML - any Request/Response/Policy(Set) element - processing and/or change XACML standard conformance in anyway, make sure you add relevant integration and/or conformance tests to the test suite run by [pdp-testutils's MainTest.java](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/MainTest.java).
### Dependency management
1. No SNAPSHOT dependencies on "develop" and obviously "master" branches
### Releasing
1. From the develop branch, prepare a release (example using a HTTP proxy):
<pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=3128 jgitflow:release-start
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=80 jgitflow:release-start
</code></pre>
1. Update the CHANGELOG according to keepachangelog.com.
1. To perform the release (example using a HTTP proxy):
<pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=3128 jgitflow:release-finish
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=80 jgitflow:release-finish
</code></pre>
If, after deployment, the command does not succeed because of some issue with the branches. Fix the issue, then re-run the same command but with 'noDeploy' option set to true to avoid re-deployment:
<pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=3128 -DnoDeploy=true jgitflow:release-finish
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=80 -DnoDeploy=true jgitflow:release-finish
</code></pre>
1. Connect and log in to the OSS Nexus Repository Manager: https://oss.sonatype.org/
1. Go to Staging Profiles and select the pending repository authzforce-*... you just uploaded with `jgitflow:release-finish`
......
This diff is collapsed.
......@@ -2,9 +2,12 @@
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: mailapi-1.5.6.jar
file name: mailapi-1.5.6.jar,
false positive reported: https://github.com/jeremylong/DependencyCheck/issues/912
]]></notes>
<gav regex="true">^com\.sun\.mail:mailapi:.*$</gav>
<cpe>cpe:/a:mail_project:mail</cpe>
<cpe>cpe:/a:sun:javamail</cpe>
<cve>CVE-2007-6059</cve>
<cve>CVE-2015-9097</cve>
</suppress>
</suppressions>
\ No newline at end of file
/target/
/.settings/
/.classpath
/.pmd
/.pmdruleset.xml
/.project
/test-output/
<?xml version="1.0"?>
<!--
This file contains some false positive bugs detected by Findbugs. Their
false positive nature has been analyzed individually and they have been
put here to instruct Findbugs to ignore them.
-->
<FindBugsFilter>
<Match>
<!-- CRLF injection in logs is considered fixed in the logger configuration, e.g. logback.xml.
More info: https://github.com/find-sec-bugs/find-sec-bugs/issues/240
-->
<Bug pattern="CRLF_INJECTION_LOGS" />
</Match>
</FindBugsFilter>
\ No newline at end of file
Copyright ${inceptionYear}-${currentYear} ${copyrightOwner}.
This file is part of ${projectName}.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: mailapi-1.5.6.jar,
false positive reported: https://github.com/jeremylong/DependencyCheck/issues/912
]]></notes>
<cpe>cpe:/a:mail_project:mail</cpe>
<cpe>cpe:/a:sun:javamail</cpe>
<cve>CVE-2007-6059</cve>
<cve>CVE-2015-9097</cve>
</suppress>
</suppressions>
\ No newline at end of file
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>10.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-cli</artifactId>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthzForce - Core PDP Command-Line Interface</description>
<url>${project.url}</url>
<scm>
<connection>scm:git:${git.url.base}/core.git/pdp-cli</connection>
<developerConnection>scm:git:${git.url.base}/core.git/pdp-cli</developerConnection>
<tag>HEAD</tag>
<!-- Publicly browsable repository URL. For example, via Gitlab web UI. -->
<url>${git.url.base}/core/pdp-cli</url>
</scm>
<dependencies>
<dependency>
<groupId>info.picocli</groupId>
<artifactId>picocli</artifactId>
<version>2.0.3</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
<version>10.0.0</version>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
<version>10.0.0</version>
</dependency>
<dependency>
<groupId>org.testng</groupId>
<artifactId>testng</artifactId>
<version>6.11</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
<version>10.0.0</version>
<scope>test</scope>
</dependency>
</dependencies>
<pluginRepositories>
<pluginRepository>
<id>spring-milestone</id>
<name>Spring Milestone Repository</name>
<url>https://repo.spring.io/milestone</url>
<!-- <releases><enabled>true</enabled></releases> -->
<!-- <snapshots><enabled>true</enabled></snapshots> -->
</pluginRepository>
</pluginRepositories>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<executions>
<execution>
<phase>process-sources</phase>
<goals>
<goal>resources</goal>
</goals>
<configuration>
<escapeString>\</escapeString>
<overwrite>true</overwrite>
<resources>
<!-- Replace variable 'project.version' in some source files. The result goes to ${project.build.directory}. -->
<resource>
<directory>src</directory>
<filtering>true</filtering>
<includes>
<include>org.ow2.authzforce.core.product.properties</include>
</includes>
</resource>
</resources>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<!-- Consider combining with Red Hat Victims and OSS Index. More info on Victims vs. Dependency-check: https://bugzilla.redhat.com/show_bug.cgi?id=1388712 -->
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<cveValidForHours>24</cveValidForHours>
<!-- The plugin has numerous issues with version matching, which triggers false positives so we need a "suppresion" file for those. More info: https://github.com/jeremylong/DependencyCheck/issues -->
<suppressionFile>owasp-dependency-check-suppression.xml</suppressionFile>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<!-- target JDK already set by parent project's maven.compiler.target property -->
<configuration>
<verbose>true</verbose>
<excludeRoots>
<excludeRoot>target/generated-sources/xjc</excludeRoot>
<excludeRoot>target/generated-test-sources/xjc</excludeRoot>
</excludeRoots>
</configuration>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>check</goal>
<goal>cpd-check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<configuration>
<onlyAnalyze>org.ow2.authzforce.*</onlyAnalyze>
<excludeFilterFile>findbugs-exclude-filter.xml</excludeFilterFile>
</configuration>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<!-- Override license-maven-plugin configuration to exclude Sunxacml files from adding GPL license headers (different license) -->
<groupId>com.mycila</groupId>
<artifactId>license-maven-plugin</artifactId>
<configuration>
<header>license/alv2-header.txt</header>
<includes>
<include>src/main/java/org/ow2/authzforce/**</include>
<!-- Include test files also -->
<include>src/test/java/org/ow2/authzforce/**</include>
</includes>
</configuration>
<executions>
<execution>
<id>format-sources-license</id>
<phase>process-sources</phase>
<goals>
<goal>format</goal>
</goals>
</execution>
<execution>
<id>format-test-sources-license</id>
<phase>process-test-sources</phase>
<goals>
<goal>format</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<!-- This execution of surefire is overwritten by a default one unless we specify a different version in pluginManagement. -->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<skipAfterFailureCount>1</skipAfterFailureCount>
<!-- redirectTestOutputToFile: set this to 'true' to redirect the unit test standard output to a file (found in reportsDirectory/testName-output.txt) -->
<redirectTestOutputToFile>false</redirectTestOutputToFile>
<systemPropertyVariables>
<javax.xml.accessExternalSchema>all</javax.xml.accessExternalSchema>
</systemPropertyVariables>
<properties>
<property>
<name>surefire.testng.verbose</name>
<!-- verbosity level from 0 to 10 (10 is the most detailed), or -1 for debug More info: http://maven.apache.org/surefire/maven-surefire-plugin/examples/testng.html -->
<value>2</value>
</property>
</properties>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>2.0.0.M6</version>
<configuration>
<executable>true</executable>
<layout>ZIP</layout>
<embeddedLaunchScriptProperties>
<inlinedConfScript>${basedir}/src/setenv.sh</inlinedConfScript>
</embeddedLaunchScriptProperties>
</configuration>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
\ No newline at end of file
/**
* Copyright 2012-2017 Thales Services SAS.
*
* This file is part of AuthzForce CE.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
*
*/
package org.ow2.authzforce.core.pdp.cli;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.util.concurrent.Callable;
import javax.xml.bind.Marshaller;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import org.json.JSONObject;
import org.json.JSONTokener;
import org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor;
import org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor;
import org.ow2.authzforce.core.pdp.api.XmlUtils;
import org.ow2.authzforce.core.pdp.api.XmlUtils.XmlnsFilteringParser;
import org.ow2.authzforce.core.pdp.api.io.PdpEngineInoutAdapter;
import org.ow2.authzforce.core.pdp.api.io.XacmlJaxbParsingUtils;
import org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration;
import org.ow2.authzforce.core.pdp.impl.io.PdpEngineAdapters;
import org.ow2.authzforce.core.pdp.io.xacml.json.BaseXacmlJsonResultPostprocessor;
import org.ow2.authzforce.core.pdp.io.xacml.json.IndividualXacmlJsonRequest;
import org.ow2.authzforce.core.pdp.io.xacml.json.SingleDecisionXacmlJsonRequestPreprocessor;
import org.ow2.authzforce.xacml.Xacml3JaxbHelper;
import org.ow2.authzforce.xacml.json.model.Xacml3JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Option;
import picocli.CommandLine.Parameters;
/**
* {@link Callable} allowing to call the PDP engine (adapters) from the command-line
* <p>
* TODO: implement tests: 1) with xacml-xml 2) with xacml-json 3/4) with/without catalog and with/without extension XSD.
*
*/
@Command(name = "authzforce-ce-core-pdp-cli", description = "Evaluates a XACML Request against a XACML Policy(Set) using AuthzForce PDP engine")
public final class PdpCommandLineCallable implements Callable<Void>
{
private static enum RequestType
{
XACML_XML, XACML_JSON;
}
/*
* WARNING: do not make picocli-annoated fields final here! Known issue: https://github.com/remkop/picocli/issues/68. Planned to be fixed in release 2.1.0.
*/
@Option(names = { "-t", "--type" }, description = "Type of XACML request/response: 'XACML_XML' for XACML 3.0/XML (XACML core specification), 'XACML_JSON' for XACML 3.0/JSON (JSON Profile of XACML 3.0)")
private RequestType requestType = RequestType.XACML_XML;
@Parameters(index = "0", description = "Path to PDP configuration file, valid against schema located at https://github.com/authzforce/core/blob/release-X.Y.Z/pdp-engine/src/main/resources/pdp.xsd (X.Y.Z is the version provided by -v option)")
private File confFile;
@Option(names = { "-c", "--catalog" }, description = "Path to XML catalog for resolving schemas used in extensions XSD specified by -e option, required only if -e specified")
private String catalogLocation = null;
@Option(names = { "-e", "--extensions" }, description = "Path to extensions XSD (contains XSD namespace imports for all extensions used in the PDP configuration), required only if using any extension in the PDP configuration file")
private String extensionXsdLocation = null;
@Parameters(index = "1", description = "XACML Request (format determined by -t option)")
private File reqFile;
@Option(names = { "-p", "--prettyprint" }, description = "Pretty-print output with line feeds and indentation")
private boolean formattedOutput = false;
@Override
public Void call() throws Exception
{
final PdpEngineConfiguration configuration = PdpEngineConfiguration.getInstance(confFile, catalogLocation, extensionXsdLocation);
System.out.println();
switch (requestType)
{
case XACML_JSON:
final JSONObject jsonRequest;
try (InputStream inputStream = new FileInputStream(reqFile))
{
jsonRequest = new JSONObject(new JSONTokener(inputStream));
if (!jsonRequest.has("Request"))
{
throw new IllegalArgumentException("Invalid XACML JSON Request file: " + reqFile + ". Expected root key: \"Request\"");
}
Xacml3JsonUtils.REQUEST_SCHEMA.validate(jsonRequest);
}
final DecisionResultPostprocessor<IndividualXacmlJsonRequest, JSONObject> defaultResultPostproc = new BaseXacmlJsonResultPostprocessor(
configuration.getClientRequestErrorVerbosityLevel());
final DecisionRequestPreprocessor<JSONObject, IndividualXacmlJsonRequest> defaultReqPreproc = SingleDecisionXacmlJsonRequestPreprocessor.LaxVariantFactory.INSTANCE.getInstance(
configuration.getAttributeValueFactoryRegistry(), configuration.isStrictAttributeIssuerMatchEnabled(), configuration.isXpathEnabled(), XmlUtils.SAXON_PROCESSOR,
defaultResultPostproc.getFeatures());
final PdpEngineInoutAdapter<JSONObject, JSONObject> jsonPdpEngineAdapter = PdpEngineAdapters.newInoutAdapter(JSONObject.class, JSONObject.class, configuration, defaultReqPreproc,
defaultResultPostproc);
final JSONObject jsonResponse = jsonPdpEngineAdapter.evaluate(jsonRequest);
System.out.println(jsonResponse.toString(formattedOutput ? 4 : 0));
break;
default:
final XmlnsFilteringParser parser = XacmlJaxbParsingUtils.getXacmlParserFactory(true).getInstance();
final Object request = parser.parse(reqFile.toURI().toURL());
if (!(request instanceof Request))
{
throw new IllegalArgumentException("Invalid XACML/XML Request file (according to XACML 3.0 schema): " + reqFile);
}
final PdpEngineInoutAdapter<Request, Response> xmlPdpEngineAdapter = PdpEngineAdapters.newXacmlJaxbInoutAdapter(configuration);
final Response xmlResponse = xmlPdpEngineAdapter.evaluate((Request) request, parser.getNamespacePrefixUriMap());
final Marshaller marshaller = Xacml3JaxbHelper.createXacml3Marshaller();
marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, formattedOutput);
marshaller.marshal(xmlResponse, System.out);
break;
}
System.out.println();
return null;
}
/**
* Method used for the command-line
*
* @param args
* CLI args
*/
public static void main(final String[] args)
{
CommandLine.call(new PdpCommandLineCallable(), System.out, args);
}
}
org.ow2.authzforce.core.pdp.io.xacml.json.SingleDecisionXacmlJsonRequestPreprocessor$LaxVariantFactory
org.ow2.authzforce.core.pdp.io.xacml.json.SingleDecisionXacmlJsonRequestPreprocessor$StrictVariantFactory