Commit 1293ea99 authored by cdanger's avatar cdanger

Added support for Extended Indeterminate values (XACML 3.0 Core

specification, section 7.10-7.14, appendix C: combining algorithms)
parent 147ef63c
......@@ -3,6 +3,7 @@ All notable changes to this project are documented in this file following the [K
## Unreleased
### Added
- Support for Extended Indeterminate values (XACML 3.0 Core specification, section 7.10-7.14, appendix C: combining algorithms)
- PdpImpl#getStaticRootAndRefPolicies() that provides all the PDP's root policy and policies referenced - directly or indirectly - from the root policy, if all are statically resolved. This allows PDP clients to know all the policies (if statically resolved) possibly used by the PDP during the evaluation.
## 3.7.0
......
......@@ -35,7 +35,8 @@ import org.ow2.authzforce.core.pdp.api.PepActions;
*/
public final class BaseDecisionResult implements DecisionResult
{
private static final IllegalArgumentException ILLEGAL_DECISION_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined Decision");
private static final IllegalArgumentException ILLEGAL_DECISION_ARGUMENT_EXCEPTION = new IllegalArgumentException(
"Undefined Decision");
/**
* NotApplicable decision result
......@@ -54,6 +55,21 @@ public final class BaseDecisionResult implements DecisionResult
private final DecisionType decision;
/**
* Extended Indeterminate value, as defined in section 7.10 of XACML 3.0 core: <i>potential effect value which could
* have occurred if there would not have been an error causing the “Indeterminate”</i>. We use the following
* convention:
* <ul>
* <li>{@link DecisionType#DENY} means "Indeterminate{D}"</li>
* <li>{@link DecisionType#PERMIT} means "Indeterminate{P}"</li>
* <li>Null means "Indeterminate{DP}"</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not Indeterminate, and
* therefore any extended Indeterminate value should be ignored</li>
* </ul>
*
*/
private final DecisionType extIndeterminate;
private final Status status;
// initialized non-null
......@@ -67,6 +83,8 @@ public final class BaseDecisionResult implements DecisionResult
*
* @param decision
* decision
* @param extendedIndeterminate
* Extended Indeterminate value, null if {@code decision != DecisionType.INDETERMINATE}
* @param status
* status
* @param pepActions
......@@ -74,7 +92,8 @@ public final class BaseDecisionResult implements DecisionResult
* @param policyIdentifierList
* list of matched policy identifiers
*/
public BaseDecisionResult(DecisionType decision, Status status, PepActions pepActions, List<JAXBElement<IdReferenceType>> policyIdentifierList)
public BaseDecisionResult(DecisionType decision, DecisionType extendedIndeterminate, Status status,
PepActions pepActions, List<JAXBElement<IdReferenceType>> policyIdentifierList)
{
if (decision == null)
{
......@@ -82,26 +101,51 @@ public final class BaseDecisionResult implements DecisionResult
}
this.decision = decision;
this.extIndeterminate = extendedIndeterminate;
this.status = status;
this.pepActions = pepActions == null ? new BasePepActions(null, null) : pepActions;
this.applicablePolicyIdList = policyIdentifierList == null ? new ArrayList<JAXBElement<IdReferenceType>>() : policyIdentifierList;
this.applicablePolicyIdList = policyIdentifierList == null ? new ArrayList<JAXBElement<IdReferenceType>>()
: policyIdentifierList;
}
/**
* Instantiates a Indeterminate Decision result with a given error status
*
* @param extendedIndeterminate
* Extended Indeterminate value (XACML 3.0 Core, section 7.10). We use the following convention:
* <ul>
* <li>{@link DecisionType#DENY} means "Indeterminate{D}"</li>
* <li>{@link DecisionType#PERMIT} means "Indeterminate{P}"</li>
* <li>{@link DecisionType#INDETERMINATE} means "Indeterminate{DP}"</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not
* Indeterminate, and therefore any extended Indeterminate value should be ignored</li>
* </ul>
*
* @param status
* reason/code for Indeterminate
*/
public BaseDecisionResult(Status status, DecisionType extendedIndeterminate)
{
this(DecisionType.INDETERMINATE, extendedIndeterminate, status, null, null);
}
/**
* Instantiates a Indeterminate Decision result with a given error status and extended Indeterminate set to
* Indeterminate{DP}
*
* @param status
* reason/code for Indeterminate
*/
public BaseDecisionResult(Status status)
{
this(DecisionType.INDETERMINATE, status, null, null);
this(DecisionType.INDETERMINATE, DecisionType.INDETERMINATE, status, null, null);
}
/**
* Instantiates a Permit/Deny decision with optional obligations and advice. See {@link #BaseDecisionResult(Status)} for Indeterminate, and
* {@link #NOT_APPLICABLE} for NotApplicable.
* Instantiates a Permit/Deny decision with optional obligations and advice. See
* {@link #BaseDecisionResult(Status, DecisionType)} for Indeterminate, and {@link #NOT_APPLICABLE} for
* NotApplicable.
*
* @param decision
* decision
......@@ -110,7 +154,7 @@ public final class BaseDecisionResult implements DecisionResult
*/
public BaseDecisionResult(DecisionType decision, PepActions pepActions)
{
this(decision, null, pepActions, null);
this(decision, DecisionType.NOT_APPLICABLE, null, pepActions, null);
}
private transient volatile int hashCode = 0;
......@@ -120,7 +164,8 @@ public final class BaseDecisionResult implements DecisionResult
{
if (hashCode == 0)
{
hashCode = Objects.hash(this.decision, this.status, this.pepActions, this.applicablePolicyIdList);
hashCode = Objects.hash(this.decision, this.extIndeterminate, this.status, this.pepActions,
this.applicablePolicyIdList);
}
return hashCode;
......@@ -145,6 +190,11 @@ public final class BaseDecisionResult implements DecisionResult
return false;
}
if (this.extIndeterminate != other.getExtendedIndeterminate())
{
return false;
}
// Status is optional in XACML
if (this.status == null)
{
......@@ -218,7 +268,8 @@ public final class BaseDecisionResult implements DecisionResult
}
/**
* Merge extra PEP actions and/or matched policy identifiers. Used when combining results from child Rules of Policy or child Policies of PolicySet
* Merge extra PEP actions and/or matched policy identifiers. Used when combining results from child Rules of Policy
* or child Policies of PolicySet
*
* @param newPepActions
* new PEP actions
......@@ -242,8 +293,14 @@ public final class BaseDecisionResult implements DecisionResult
@Override
public String toString()
{
return "Result [decision=" + decision + ", status=" + status + ", pepActions=" + pepActions + ", applicablePolicyIdList=" + applicablePolicyIdList
+ "]";
return "Result [decision=" + decision + ", status=" + status + ", pepActions=" + pepActions
+ ", applicablePolicyIdList=" + applicablePolicyIdList + "]";
}
@Override
public DecisionType getExtendedIndeterminate()
{
return this.extIndeterminate;
}
}
......@@ -17,6 +17,8 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import org.ow2.authzforce.core.pdp.api.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.CombiningAlgParameter;
......@@ -26,9 +28,9 @@ import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.impl.BaseDecisionResult;
/**
* This is the standard XACML 3.0 Deny-Overrides policy/rule combining algorithm. It allows a single evaluation of Deny to take precedence over any number of
* permit, not applicable or indeterminate results. Note that since this implementation does an ordered evaluation, this class also supports the
* Ordered-Deny-Overrides-algorithm.
* This is the standard XACML 3.0 Deny-Overrides policy/rule combining algorithm. It allows a single evaluation of Deny
* to take precedence over any number of permit, not applicable or indeterminate results. Note that since this
* implementation does an ordered evaluation, this class also supports the Ordered-Deny-Overrides-algorithm.
*/
public final class DenyOverridesAlg extends BaseCombiningAlg<Decidable>
{
......@@ -46,9 +48,18 @@ public final class DenyOverridesAlg extends BaseCombiningAlg<Decidable>
public DecisionResult eval(EvaluationContext context)
{
/*
* Replaces atLeastOneError from XACML spec. atLeastOneError == true <=> firstIndeterminateResult != null
* Replaces atLeastOneErrorDP from XACML spec. atLeastOneErrorDP == true <=> firstIndeterminateDPResult !=
* null
*/
DecisionResult firstIndeterminateDPResult = null;
/*
* Replaces atLeastOneErrorD from XACML spec. atLeastOneErrorD == true <=> firstIndeterminateDResult != null
*/
DecisionResult firstIndeterminateDResult = null;
/*
* Replaces atLeastOneErrorP from XACML spec. atLeastOneErrorP == true <=> firstIndeterminatePResult != null
*/
DecisionResult firstIndeterminateResult = null;
DecisionResult firstIndeterminatePResult = null;
/*
* Replaces atLeastOnePermit from XACML spec. atLeastOnePermit == true <=> combinedPermitResult != null
......@@ -74,9 +85,33 @@ public final class DenyOverridesAlg extends BaseCombiningAlg<Decidable>
break;
case INDETERMINATE:
/*
* FIXME: implement extended Indeterminate decisions (result differs if Indeterminate{P} or Indeterminate{D})
* Save Extended Indeterminate value if this is a new type of such value, till the end because
* needed to compute final Extended Indeterminate value
*/
firstIndeterminateResult = result;
switch (result.getExtendedIndeterminate())
{
case INDETERMINATE:
if (firstIndeterminateDPResult == null)
{
firstIndeterminateDPResult = result;
}
break;
case DENY:
if (firstIndeterminateDResult == null)
{
firstIndeterminateDResult = result;
}
break;
case PERMIT:
if (firstIndeterminatePResult == null)
{
firstIndeterminatePResult = result;
}
break;
default:
}
break;
default:
break;
......@@ -84,28 +119,44 @@ public final class DenyOverridesAlg extends BaseCombiningAlg<Decidable>
}
/*
* FIXME: implement extended Indeterminate decisions as the algorithm distinguishes them.
* There was no Deny, else: if any Indeterminate{DP}, then Indeterminate{DP}
*/
if (firstIndeterminateResult != null)
if (firstIndeterminateDPResult != null)
{
return firstIndeterminateResult;
// at least one Indeterminate{DP}
return firstIndeterminateDPResult;
}
// if we got a PERMIT, return it, otherwise it's NOT_APPLICABLE
/*
* Else if any Indeterminate{D}, then: if ( any Indeterminate{P} or any Permit ) -> Indeterminate{DP}; else
* -> Indeterminate{D} (this is a simplified equivalent of the algo in the spec)
*/
if (firstIndeterminateDResult != null)
{
return new BaseDecisionResult(firstIndeterminateDResult.getStatus(), firstIndeterminatePResult != null
|| combinedPermitResult != null ? DecisionType.INDETERMINATE : DecisionType.DENY);
}
// if we got a PERMIT or Indeterminate{P}, return it, otherwise it's NOT_APPLICABLE
if (combinedPermitResult != null)
{
return combinedPermitResult;
}
if (firstIndeterminatePResult != null)
{
return firstIndeterminatePResult;
}
return BaseDecisionResult.NOT_APPLICABLE;
}
}
/**
* The standard URIs used to identify this algorithm
*/
static final String[] SUPPORTED_IDENTIFIERS = { "urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides",
static final String[] SUPPORTED_IDENTIFIERS = {
"urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides",
"urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides",
"urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides",
"urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-deny-overrides" };
......@@ -131,8 +182,8 @@ public final class DenyOverridesAlg extends BaseCombiningAlg<Decidable>
}
@Override
public CombiningAlg.Evaluator getInstance(List<CombiningAlgParameter<? extends Decidable>> params, List<? extends Decidable> combinedElements)
throws UnsupportedOperationException, IllegalArgumentException
public CombiningAlg.Evaluator getInstance(List<CombiningAlgParameter<? extends Decidable>> params,
List<? extends Decidable> combinedElements) throws UnsupportedOperationException, IllegalArgumentException
{
return new Evaluator(combinedElements);
}
......
......@@ -17,6 +17,8 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import org.ow2.authzforce.core.pdp.api.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.CombiningAlgParameter;
......@@ -26,9 +28,9 @@ import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.impl.BaseDecisionResult;
/**
* This is the standard Permit-Overrides policy/rule combining algorithm. It allows a single evaluation of Permit to take precedence over any number of deny,
* not applicable or indeterminate results. Note that since this implementation does an ordered evaluation, this class also supports the
* Ordered-Permit-Overrides algorithm.
* This is the standard Permit-Overrides policy/rule combining algorithm. It allows a single evaluation of Permit to
* take precedence over any number of deny, not applicable or indeterminate results. Note that since this implementation
* does an ordered evaluation, this class also supports the Ordered-Permit-Overrides algorithm.
*/
public final class PermitOverridesAlg extends BaseCombiningAlg<Decidable>
{
......@@ -46,12 +48,22 @@ public final class PermitOverridesAlg extends BaseCombiningAlg<Decidable>
public DecisionResult eval(EvaluationContext context)
{
/*
* Replaces and enhances atLeastOneError from XACML spec. atLeastOneError == true <=> firstIndeterminateResult != null
* Replaces atLeastOneErrorDP from XACML spec. atLeastOneErrorDP == true <=> firstIndeterminateDPResult !=
* null
*/
DecisionResult firstIndeterminateDPResult = null;
/*
* Replaces atLeastOneErrorD from XACML spec. atLeastOneErrorD == true <=> firstIndeterminateDResult != null
*/
DecisionResult firstIndeterminateDResult = null;
/*
* Replaces atLeastOneErrorP from XACML spec. atLeastOneErrorP == true <=> firstIndeterminatePResult != null
*/
DecisionResult firstIndeterminateResult = null;
DecisionResult firstIndeterminatePResult = null;
/*
* Replaces and enhances atLeastOneDeny from XACML spec. atLeastOneDeny == true <=> combinedDenyResult != null
* Replaces and enhances atLeastOneDeny from XACML spec. atLeastOneDeny == true <=> combinedDenyResult !=
* null
*/
DecisionResult combinedDenyResult = null;
......@@ -75,9 +87,32 @@ public final class PermitOverridesAlg extends BaseCombiningAlg<Decidable>
break;
case INDETERMINATE:
/*
* FIXME: implement extended Indeterminate decisions (result differs if Indeterminate{P} or Indeterminate{D})
* Save Extended Indeterminate value if this is a new type of such value, till the end because
* needed to compute final Extended Indeterminate value
*/
firstIndeterminateResult = result;
switch (result.getExtendedIndeterminate())
{
case INDETERMINATE:
if (firstIndeterminateDPResult == null)
{
firstIndeterminateDPResult = result;
}
break;
case DENY:
if (firstIndeterminateDResult == null)
{
firstIndeterminateDResult = result;
}
break;
case PERMIT:
if (firstIndeterminatePResult == null)
{
firstIndeterminatePResult = result;
}
break;
default:
}
break;
default:
break;
......@@ -85,11 +120,22 @@ public final class PermitOverridesAlg extends BaseCombiningAlg<Decidable>
}
/*
* FIXME: implement extended Indeterminate decisions as the algorithm distinguishes them.
* There was no Permit, else: if any Indeterminate{DP}, then Indeterminate{DP}
*/
if (firstIndeterminateResult != null)
if (firstIndeterminateDPResult != null)
{
return firstIndeterminateResult;
// at least one Indeterminate{DP}
return firstIndeterminateDPResult;
}
/*
* Else if any Indeterminate{P}, then: if ( any Indeterminate{D} or any Deny ) -> Indeterminate{DP}; else ->
* Indeterminate{P} (this is a simplified equivalent of the algo in the spec)
*/
if (firstIndeterminatePResult != null)
{
return new BaseDecisionResult(firstIndeterminatePResult.getStatus(), firstIndeterminateDResult != null
|| combinedDenyResult != null ? DecisionType.INDETERMINATE : DecisionType.PERMIT);
}
/*
......@@ -100,13 +146,19 @@ public final class PermitOverridesAlg extends BaseCombiningAlg<Decidable>
return combinedDenyResult;
}
if (firstIndeterminateDResult != null)
{
return firstIndeterminateDResult;
}
return BaseDecisionResult.NOT_APPLICABLE;
}
}
@Override
public Evaluator getInstance(List<CombiningAlgParameter<? extends Decidable>> params, List<? extends Decidable> combinedElements)
public Evaluator getInstance(List<CombiningAlgParameter<? extends Decidable>> params,
List<? extends Decidable> combinedElements)
{
return new Evaluator(combinedElements);
}
......@@ -114,7 +166,8 @@ public final class PermitOverridesAlg extends BaseCombiningAlg<Decidable>
/**
* The standard URN used to identify this algorithm
*/
static final String[] SUPPORTED_IDENTIFIERS = { "urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides",
static final String[] SUPPORTED_IDENTIFIERS = {
"urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides",
"urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides",
"urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-permit-overrides",
"urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:ordered-permit-overrides" };
......
......@@ -39,13 +39,14 @@ class DynamicPolicyRefEvaluator<T extends IPolicyEvaluator> extends PolicyRefere
private final transient RefPolicyProvider refPolicyProvider;
/*
* Chain of Policy Reference leading from root policy down to this reference (excluded) (Do not use a Queue as it is FIFO, and we need LIFO and iteration in
* order of insertion, so different from Collections.asLifoQueue(Deque) as well.)
* Chain of Policy Reference leading from root policy down to this reference (excluded) (Do not use a Queue as it is
* FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as
* well.)
*/
private final transient Deque<String> ancestorPolicyRefChain;
DynamicPolicyRefEvaluator(String policyIdRef, VersionPatterns versionConstraints, Class<T> policyReferenceType, RefPolicyProvider refPolicyProvider,
Deque<String> ancestorPolicyRefChain)
DynamicPolicyRefEvaluator(String policyIdRef, VersionPatterns versionConstraints, Class<T> policyReferenceType,
RefPolicyProvider refPolicyProvider, Deque<String> ancestorPolicyRefChain)
{
super(policyIdRef, versionConstraints, policyReferenceType);
if (refPolicyProvider == null)
......@@ -61,14 +62,16 @@ class DynamicPolicyRefEvaluator<T extends IPolicyEvaluator> extends PolicyRefere
* Resolves this to the actual Policy
*
* @throws ParsingException
* Error parsing the policy referenced by this. The referenced policy may be parsed on the fly, when calling this method.
* Error parsing the policy referenced by this. The referenced policy may be parsed on the fly, when
* calling this method.
* @throws IndeterminateEvaluationException
* if error determining the policy referenced by this, e.g. if more than one policy is found
*/
private T resolve() throws ParsingException, IndeterminateEvaluationException
{
return refPolicyProvider.get(this.referredPolicyClass, this.refPolicyId, this.versionConstraints, ancestorPolicyRefChain);
return refPolicyProvider.get(this.referredPolicyClass, this.refPolicyId, this.versionConstraints,
ancestorPolicyRefChain);
}
@Override
......@@ -98,7 +101,8 @@ class DynamicPolicyRefEvaluator<T extends IPolicyEvaluator> extends PolicyRefere
} catch (ParsingException e)
{
throw new IndeterminateEvaluationException("Error resolving " + this
+ " to check whether the referenced policy is applicable to the request context", StatusHelper.STATUS_SYNTAX_ERROR, e);
+ " to check whether the referenced policy is applicable to the request context",
StatusHelper.STATUS_SYNTAX_ERROR, e);
}
}
......@@ -116,13 +120,15 @@ class DynamicPolicyRefEvaluator<T extends IPolicyEvaluator> extends PolicyRefere
}
@Override
public Map<String, PolicyVersion> getStaticRefPolicies() {
public Map<String, PolicyVersion> getStaticRefPolicies()
{
// this is not static
return null;
}
@Override
public PolicyVersion getPolicyVersion() {
public PolicyVersion getPolicyVersion()
{
// Version is not statically defined
return null;
}
......
......@@ -57,7 +57,8 @@ public class RuleEvaluator implements Decidable
* @throws IllegalArgumentException
* Invalid Target, Condition or Obligation/Advice expressions
*/
public RuleEvaluator(Rule ruleElt, XPathCompiler xPathCompiler, ExpressionFactory expressionFactory) throws IllegalArgumentException
public RuleEvaluator(Rule ruleElt, XPathCompiler xPathCompiler, ExpressionFactory expressionFactory)
throws IllegalArgumentException
// throws ParsingException
{
// JAXB fields initialization
......@@ -70,7 +71,8 @@ public class RuleEvaluator implements Decidable
final oasis.names.tc.xacml._3_0.core.schema.wd_17.Target targetElt = ruleElt.getTarget();
try
{
this.evaluatableTarget = targetElt == null ? null : new TargetEvaluator(targetElt, xPathCompiler, expressionFactory);
this.evaluatableTarget = targetElt == null ? null : new TargetEvaluator(targetElt, xPathCompiler,
expressionFactory);
} catch (IllegalArgumentException e)
{
throw new IllegalArgumentException(this + ": Invalid Target", e);
......@@ -79,7 +81,8 @@ public class RuleEvaluator implements Decidable
final Condition condElt = ruleElt.getCondition();
try
{
this.evaluatableCondition = condElt == null ? null : new ConditionEvaluator(condElt, xPathCompiler, expressionFactory);
this.evaluatableCondition = condElt == null ? null : new ConditionEvaluator(condElt, xPathCompiler,
expressionFactory);
} catch (IllegalArgumentException e)
{
throw new IllegalArgumentException(this + ": invalid Condition", e);
......@@ -87,8 +90,9 @@ public class RuleEvaluator implements Decidable
try
{
this.effectMatchPepActionExps = RulePepActionExpressionsEvaluator.getInstance(ruleElt.getObligationExpressions(), ruleElt.getAdviceExpressions(),
xPathCompiler, expressionFactory, effect);
this.effectMatchPepActionExps = RulePepActionExpressionsEvaluator.getInstance(
ruleElt.getObligationExpressions(), ruleElt.getAdviceExpressions(), xPathCompiler,
expressionFactory, effect);
} catch (IllegalArgumentException e)
{
throw new IllegalArgumentException(this + ": Invalid ObligationExpressions/AdviceExpressions", e);
......@@ -115,13 +119,14 @@ public class RuleEvaluator implements Decidable
}
/**
* Evaluates the rule against the supplied context. This will check that the target matches, and then try to evaluate the condition. If the target and
* condition apply, then the rule's effect is returned in the result.
* Evaluates the rule against the supplied context. This will check that the target matches, and then try to
* evaluate the condition. If the target and condition apply, then the rule's effect is returned in the result.
* <p>
* Note that rules are not required to have targets. If no target is specified, then the rule inherits its parent's target. In the event that this
* <code>RuleEvaluator</code> has no <code>Target</code> then the match is assumed to be true, since evaluating a policy tree to this level required the
* parent's target to match. In debug level, this method logs the evaluation result before return. Indeterminate results are logged in warn level only
* (which "includes" debug level).
* Note that rules are not required to have targets. If no target is specified, then the rule inherits its parent's
* target. In the event that this <code>RuleEvaluator</code> has no <code>Target</code> then the match is assumed to
* be true, since evaluating a policy tree to this level required the parent's target to match. In debug level, this
* method logs the evaluation result before return. Indeterminate results are logged in warn level only (which
* "includes" debug level).
*
* @param context
* the representation of the request we're evaluating
......@@ -152,25 +157,27 @@ public class RuleEvaluator implements Decidable
LOGGER.debug("{}/Target -> Match", this);
} catch (IndeterminateEvaluationException e)
{
// Target is Indeterminate
/*
* Before we lose the exception information, log it at a higher level because it is an evaluation error (but no critical application error,
* therefore lower level than error)
* Before we lose the exception information, log it at a higher level because it is an evaluation error
* (but no critical application error, therefore lower level than error)
*/
LOGGER.info("{}/Target -> Indeterminate", this, e);
/*
* FIXME: implement Extended Indeterminate: "Indeterminate{P}" if the Rule's Effect is Permit, or "Indeterminate{D}" if the Rule's Effect is
* Deny
* Condition is Indeterminate, determine Extended Indeterminate (section 7.11) which is the value of the
* Rule's Effect
*/
final DecisionResult result = new BaseDecisionResult(e.getStatus());
final DecisionResult result = new BaseDecisionResult(e.getStatus(), this.effectAsDecision);
LOGGER.debug("{} -> {}", this, result);
return result;
}
}
/*
* Target matches -> check condition Rule's condition considered as True if condition = null or condition's expression evaluated to true. See section
* 7.9 of XACML core spec, so result is the Rule's Effect, unless condition is not null AND it evaluates to False or throws Indeterminate exception.
* Target matches -> check condition Rule's condition considered as True if condition = null or condition's
* expression evaluated to true. See section 7.9 of XACML core spec, so result is the Rule's Effect, unless
* condition is not null AND it evaluates to False or throws Indeterminate exception.
*/
if (evaluatableCondition == null)
{
......@@ -184,13 +191,16 @@ public class RuleEvaluator implements Decidable
isConditionTrue = evaluatableCondition.evaluate(context);
} catch (IndeterminateEvaluationException e)
{
// if it was INDETERMINATE, then that's what we return
/*
* Before we lose the exception information, log it at a higher level because it is an evaluation error (but no critical application error,
* therefore lower level than Error level)
* Condition is Indeterminate, determine Extended Indeterminate (section 7.11) which is the value of the
* Rule's Effect
*/
/*
* Before we lose the exception information, log it at a higher level because it is an evaluation error
* (but not a critical application error, therefore lower level than Error level)
*/
LOGGER.info("{}/Condition -> Indeterminate", this, e);
final DecisionResult result = new BaseDecisionResult(e.getStatus());
final DecisionResult result = new BaseDecisionResult(e.getStatus(), this.effectAsDecision);
LOGGER.debug("{} -> {}", this, result);
return result;
}
......@@ -217,9 +227,9 @@ public class RuleEvaluator implements Decidable
}
/*
* Evaluate obligations/advice we have already filtered out obligations/advice that do not apply to Rule's effect, after calling
* PepActionExpressionsEvaluator.getInstance(..., effect) in the constructor. So no need to do it again, that's why Effect not used as argument to
* evaluate() here.
* Evaluate obligations/advice we have already filtered out obligations/advice that do not apply to Rule's
* effect, after calling PepActionExpressionsEvaluator.getInstance(..., effect) in the constructor. So no need
* to do it again, that's why Effect not used as argument to evaluate() here.
*/
final PepActions pepActions;
try
......@@ -228,16 +238,18 @@ public class RuleEvaluator implements Decidable
} catch (IndeterminateEvaluationException e)
{
/*
* Before we lose the exception information, log it at a higher level because it is an evaluation error (but no critical application error,
* therefore lower level than Error level)
* Before we lose the exception information, log it at a higher level because it is an evaluation error (but
* no critical application error, therefore lower level than Error level)
*/
LOGGER.info("{}/{Obligation|Advice}Expressions -> Indeterminate", this, e);
/*
* If any of the attribute assignment expressions in an obligation or advice expression with a matching FulfillOn or AppliesTo attribute evaluates
* to "Indeterminate", then the whole rule, policy, or policy set SHALL be "Indeterminate" (see XACML 3.0 core spec, section 7.18).
* If any of the attribute assignment expressions in an obligation or advice expression with a matching
* FulfillOn or AppliesTo attribute evaluates to "Indeterminate", then the whole rule, policy, or policy set
* SHALL be "Indeterminate" (see XACML 3.0 core spec, section 7.18). For the Extended Indeterminate, we do
* like for Target or Condition evaluation in section 7.11 (same as the rule's Effect).
*/
final BaseDecisionResult result = new BaseDecisionResult(e.getStatus());
final BaseDecisionResult result = new BaseDecisionResult(e.getStatus(), this.effectAsDecision);
LOGGER.debug("{} -> {}", this, result);
return result;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment