Commit 147ef63c authored by cdanger's avatar cdanger

### Added

- PdpImpl#getStaticRootAndRefPolicies() that provides all the PDP's root policy and policies referenced - directly or indirectly - from the root policy, if all are statically resolved. This allows PDP clients to know all the policies (if statically resolved) possibly used by the PDP during the evaluation.
parent c5602fe4
......@@ -2,6 +2,8 @@
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions.
## Unreleased
### Added
- PdpImpl#getStaticRootAndRefPolicies() that provides all the PDP's root policy and policies referenced - directly or indirectly - from the root policy, if all are statically resolved. This allows PDP clients to know all the policies (if statically resolved) possibly used by the PDP during the evaluation.
## 3.7.0
### Added
......
......@@ -6,7 +6,7 @@
<version>3.3.7</version>
</parent>
<artifactId>authzforce-ce-core</artifactId>
<version>3.7.1-SNAPSHOT</version>
<version>3.8.0-SNAPSHOT</version>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthZForce Community Edition - XACML-compliant Core Engine</description>
<url>https://tuleap.ow2.org/projects/authzforce</url>
......@@ -56,7 +56,7 @@
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core-pdp-api</artifactId>
<!-- Major/minor version should match this artifact major/minor version to respect Semantic Versioning; -->
<version>3.6.1</version>
<version>3.7.0-SNAPSHOT</version>
</dependency>
<!-- /Authzforce dependencies -->
......
......@@ -41,6 +41,7 @@ import org.ow2.authzforce.core.pdp.api.DecisionResultFilter;
import org.ow2.authzforce.core.pdp.api.EnvironmentProperties;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.IndividualDecisionRequest;
import org.ow2.authzforce.core.pdp.api.PolicyVersion;
import org.ow2.authzforce.core.pdp.api.RequestFilter;
import org.ow2.authzforce.core.pdp.api.StatusHelper;
import org.ow2.authzforce.core.pdp.api.XMLUtils;
......@@ -209,7 +210,7 @@ public class PDPImpl implements CloseablePDP
};
private final RootPolicyEvaluator rootPolicyProvider;
private final RootPolicyEvaluator rootPolicyEvaluator;
private final DecisionCache decisionCache;
private final RequestFilter reqFilter;
private final IndividualDecisionRequestEvaluator individualReqEvaluator;
......@@ -276,17 +277,17 @@ public class PDPImpl implements CloseablePDP
final RequestFilter requestFilter = requestFilterFactory.getInstance(attributeFactory, strictAttributeIssuerMatch, enableXPath,
XMLUtils.SAXON_PROCESSOR);
final RootPolicyEvaluator.Base candidateRootPolicyProvider = new RootPolicyEvaluator.Base(attributeFactory, functionRegistry,
final RootPolicyEvaluator.Base candidateRootPolicyEvaluator = new RootPolicyEvaluator.Base(attributeFactory, functionRegistry,
jaxbAttributeProviderConfs, maxVariableReferenceDepth, enableXPath, combiningAlgRegistry, jaxbRootPolicyProviderConf,
jaxbRefPolicyProviderConf, maxPolicySetRefDepth, strictAttributeIssuerMatch, environmentProperties);
// Use static resolution if possible
final RootPolicyEvaluator staticRootPolicyProvider = candidateRootPolicyProvider.toStatic();
if (staticRootPolicyProvider == null)
final RootPolicyEvaluator staticRootPolicyEvaluator = candidateRootPolicyEvaluator.toStatic();
if (staticRootPolicyEvaluator == null)
{
this.rootPolicyProvider = candidateRootPolicyProvider;
this.rootPolicyEvaluator = candidateRootPolicyEvaluator;
} else
{
this.rootPolicyProvider = staticRootPolicyProvider;
this.rootPolicyEvaluator = staticRootPolicyEvaluator;
}
this.reqFilter = requestFilter;
......@@ -302,8 +303,8 @@ public class PDPImpl implements CloseablePDP
this.decisionCache = responseCacheStoreFactory.getInstance(jaxbDecisionCacheConf);
}
this.individualReqEvaluator = this.decisionCache == null ? new NonCachingIndividualDecisionRequestEvaluator(rootPolicyProvider)
: new CachingIndividualRequestEvaluator(rootPolicyProvider, this.decisionCache);
this.individualReqEvaluator = this.decisionCache == null ? new NonCachingIndividualDecisionRequestEvaluator(rootPolicyEvaluator)
: new CachingIndividualRequestEvaluator(rootPolicyEvaluator, this.decisionCache);
this.resultFilter = decisionResultFilter == null ? DEFAULT_RESULT_FILTER : decisionResultFilter;
}
......@@ -379,7 +380,7 @@ public class PDPImpl implements CloseablePDP
@Override
public void close() throws IOException
{
rootPolicyProvider.close();
rootPolicyEvaluator.close();
if (decisionCache != null)
{
decisionCache.close();
......@@ -391,5 +392,13 @@ public class PDPImpl implements CloseablePDP
{
return evaluate(request, null);
}
/**
* Get the PDP's root policy and policies referenced - directly or indirectly - from the root policy, if all are statically resolved
* @return the root and referenced policies; null if any of these policies is not statically resolved (once and for all)
*/
public Map<String, PolicyVersion> getStaticRootAndRefPolicies() {
return this.rootPolicyEvaluator.getStaticRootAndRefPolicies();
}
}
......@@ -15,11 +15,13 @@ package org.ow2.authzforce.core.pdp.impl.policy;
import java.util.Deque;
import java.util.List;
import java.util.Map;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.api.IPolicyEvaluator;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.PolicyVersion;
import org.ow2.authzforce.core.pdp.api.RefPolicyProvider;
import org.ow2.authzforce.core.pdp.api.StatusHelper;
import org.ow2.authzforce.core.pdp.api.VersionPatterns;
......@@ -112,4 +114,16 @@ class DynamicPolicyRefEvaluator<T extends IPolicyEvaluator> extends PolicyRefere
// computed dynamically at evaluation time, see resolve() method
return null;
}
@Override
public Map<String, PolicyVersion> getStaticRefPolicies() {
// this is not static
return null;
}
@Override
public PolicyVersion getPolicyVersion() {
// Version is not statically defined
return null;
}
}
\ No newline at end of file
......@@ -38,6 +38,7 @@ import org.ow2.authzforce.core.pdp.api.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.IPolicyEvaluator;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.PepActions;
import org.ow2.authzforce.core.pdp.api.PolicyVersion;
import org.ow2.authzforce.core.pdp.api.RefPolicyProvider;
import org.ow2.authzforce.core.pdp.api.VersionPatterns;
import org.ow2.authzforce.core.pdp.impl.BaseDecisionResult;
......@@ -54,11 +55,14 @@ import com.sun.xacml.ParsingException;
* type of combined child elements in evaluated Policy(Set)
*
*/
public abstract class GenericPolicyEvaluator<T extends Decidable> implements IPolicyEvaluator
{
private final static Logger LOGGER = LoggerFactory.getLogger(GenericPolicyEvaluator.class);
private static final IllegalArgumentException NULL_POLICY_ID_EXCEPTION = new IllegalArgumentException("Undefined Policy(Set)Id (required)");
private static final IllegalArgumentException NULL_VERSION_EXCEPTION = new IllegalArgumentException("Undefined Policy(Set) Version (required)");
public abstract class GenericPolicyEvaluator<T extends Decidable> implements
IPolicyEvaluator {
private static final Logger LOGGER = LoggerFactory
.getLogger(GenericPolicyEvaluator.class);
private static final IllegalArgumentException NULL_POLICY_ID_EXCEPTION = new IllegalArgumentException(
"Undefined Policy(Set)Id (required)");
private static final IllegalArgumentException NULL_VERSION_EXCEPTION = new IllegalArgumentException(
"Undefined Policy(Set) Version (required)");
private static final IllegalArgumentException UNDEF_REF_POLICY_PROVIDER_EXCEPTION = new IllegalArgumentException(
"Policy(Set)IdReference resolver/Provider undefined");
......@@ -73,58 +77,77 @@ public abstract class GenericPolicyEvaluator<T extends Decidable> implements IPo
* @param refPolicyProvider
* Policy(Set)IdReference resolver/Provider
* @param refPolicyType
* type of policy referenced, i.e. whether it refers to Policy or PolicySet
* type of policy referenced, i.e. whether it refers to Policy or
* PolicySet
* @param parentPolicySetRefChain
* chain of ancestor PolicySetIdReferences leading to the reference identified here by {@code idRef} (exclusive): PolicySet Ref 1 -> PolicySet
* Ref 2 -> ... -> Ref n -> {@code idRef}. This allows to detect circular references and validate the size of the chain against the max depth
* enforced by {@code policyProvider}. This may be null if no ancestor, e.g. a PolicySetIdReference in a top-level PolicySet. Beware that we only
* keep the IDs in the chain, and not the version, because we consider that a reference loop on the same policy ID is not allowed, no matter what
* the version is.
* chain of ancestor PolicySetIdReferences leading to the
* reference identified here by {@code idRef} (exclusive):
* PolicySet Ref 1 -> PolicySet Ref 2 -> ... -> Ref n ->
* {@code idRef}. This allows to detect circular references and
* validate the size of the chain against the max depth enforced
* by {@code policyProvider}. This may be null if no ancestor,
* e.g. a PolicySetIdReference in a top-level PolicySet. Beware
* that we only keep the IDs in the chain, and not the version,
* because we consider that a reference loop on the same policy
* ID is not allowed, no matter what the version is.
* @return instance instance of PolicyReference
* @throws IllegalArgumentException
* if {@code refPolicyProvider} undefined, or there is no policy of type {@code refPolicyType} matching {@code idRef} to be found by
* {@code refPolicyProvider}, or PolicySetIdReference loop detected or PolicySetIdReference depth exceeds the max enforced by
* {@code policyProvider}
* if {@code refPolicyProvider} undefined, or there is no policy
* of type {@code refPolicyType} matching {@code idRef} to be
* found by {@code refPolicyProvider}, or PolicySetIdReference
* loop detected or PolicySetIdReference depth exceeds the max
* enforced by {@code policyProvider}
*/
public static <T extends IPolicyEvaluator> PolicyReferenceEvaluator<T> getPolicyRefEvaluator(IdReferenceType idRef, RefPolicyProvider refPolicyProvider,
Class<T> refPolicyType, Deque<String> parentPolicySetRefChain) throws IllegalArgumentException
{
if (refPolicyProvider == null)
{
public static <T extends IPolicyEvaluator> PolicyReferenceEvaluator<T> getPolicyRefEvaluator(
IdReferenceType idRef, RefPolicyProvider refPolicyProvider,
Class<T> refPolicyType, Deque<String> parentPolicySetRefChain)
throws IllegalArgumentException {
if (refPolicyProvider == null) {
throw UNDEF_REF_POLICY_PROVIDER_EXCEPTION;
}
final VersionPatterns versionConstraints = new VersionPatterns(idRef.getVersion(), idRef.getEarliestVersion(), idRef.getLatestVersion());
final VersionPatterns versionConstraints = new VersionPatterns(
idRef.getVersion(), idRef.getEarliestVersion(),
idRef.getLatestVersion());
/*
* REMINDER: parentPolicySetRefChain is handled/updated by the refPolicyProvider. So do not modify it here, just pass the parameter. modify it here.
* REMINDER: parentPolicySetRefChain is handled/updated by the
* refPolicyProvider. So do not modify it here, just pass the parameter.
* modify it here.
*/
if (refPolicyProvider.isStatic())
{
if (refPolicyProvider.isStatic()) {
final T policy;
try
{
policy = refPolicyProvider.get(refPolicyType, idRef.getValue(), versionConstraints, parentPolicySetRefChain);
} catch (IndeterminateEvaluationException e)
{
throw new IllegalArgumentException("Error resolving statically or parsing "
+ PolicyReferenceEvaluator.toString(refPolicyType, idRef.getValue(), versionConstraints)
+ " into its referenced policy (via static policy Provider)", e);
try {
policy = refPolicyProvider.get(refPolicyType, idRef.getValue(),
versionConstraints, parentPolicySetRefChain);
} catch (IndeterminateEvaluationException e) {
throw new IllegalArgumentException(
"Error resolving statically or parsing "
+ PolicyReferenceEvaluator.toString(
refPolicyType, idRef.getValue(),
versionConstraints)
+ " into its referenced policy (via static policy Provider)",
e);
}
if (policy == null)
{
throw new IllegalArgumentException("No " + (refPolicyType == PolicyEvaluator.class ? "Policy" : "PolicySet") + " matching reference: " + idRef);
if (policy == null) {
throw new IllegalArgumentException("No "
+ (refPolicyType == PolicyEvaluator.class ? "Policy"
: "PolicySet") + " matching reference: "
+ idRef);
}
return new StaticPolicyRefEvaluator<>(idRef.getValue(), versionConstraints, policy);
return new StaticPolicyRefEvaluator<>(idRef.getValue(),
versionConstraints, policy);
}
// dynamic reference resolution
return new DynamicPolicyRefEvaluator<>(idRef.getValue(), versionConstraints, refPolicyType, refPolicyProvider, parentPolicySetRefChain);
return new DynamicPolicyRefEvaluator<>(idRef.getValue(),
versionConstraints, refPolicyType, refPolicyProvider,
parentPolicySetRefChain);
}
private final String policyId;
private final String policyVersion;
private final PolicyVersion policyVersion;
private final TargetEvaluator targetEvaluator;
private final CombiningAlg.Evaluator combiningAlgEvaluator;
private final PolicyPepActionExpressionsEvaluator pepActionExps;
......@@ -144,13 +167,15 @@ public abstract class GenericPolicyEvaluator<T extends Decidable> implements IPo
* @param policyTarget
* policy(Set) Target
* @param combinedElements
* child elements combined in the policy(set) by {@code combiningAlg}
* child elements combined in the policy(set) by
* {@code combiningAlg}
* @param combinerParameters
* combining algorithm parameters
* @param localVariableIds
* IDs of variables defined locally (in policy {@code policyId})
* @param jaxbPolicyRef
* policy reference (identifier and version) of the policy that this evaluator evaluates
* policy reference (identifier and version) of the policy that
* this evaluator evaluates
* @param combiningAlgId
* (policy/rule-)combining algorithm ID
* @param obligationExps
......@@ -158,82 +183,91 @@ public abstract class GenericPolicyEvaluator<T extends Decidable> implements IPo
* @param adviceExps
* AdviceExpressions
* @param defaultXPathCompiler
* Default XPath compiler corresponding to the Policy(Set) default XPath version
* Default XPath compiler corresponding to the Policy(Set)
* default XPath version
* @param expressionFactory
* Expression factory/parser
* @param combiningAlgRegistry
* rule/policy combining algorithm registry
* @throws IllegalArgumentException
* if {@code jaxbPolicyRef == null || jaxbPolicyRef.getValue().getValue() == null || jaxbPolicyRef.getValue().getVersion() == null}
* if
* {@code jaxbPolicyRef == null || jaxbPolicyRef.getValue().getValue() == null || jaxbPolicyRef.getValue().getVersion() == null}
*/
public GenericPolicyEvaluator(Class<T> combinedElementClass, JAXBElement<IdReferenceType> jaxbPolicyRef, Target policyTarget, String combiningAlgId,
List<? extends T> combinedElements, List<CombiningAlgParameter<? extends T>> combinerParameters, ObligationExpressions obligationExps,
AdviceExpressions adviceExps, Set<String> localVariableIds, XPathCompiler defaultXPathCompiler, ExpressionFactory expressionFactory,
CombiningAlgRegistry combiningAlgRegistry) throws IllegalArgumentException
{
if (jaxbPolicyRef == null)
{
public GenericPolicyEvaluator(Class<T> combinedElementClass,
JAXBElement<IdReferenceType> jaxbPolicyRef, Target policyTarget,
String combiningAlgId, List<? extends T> combinedElements,
List<CombiningAlgParameter<? extends T>> combinerParameters,
ObligationExpressions obligationExps, AdviceExpressions adviceExps,
Set<String> localVariableIds, XPathCompiler defaultXPathCompiler,
ExpressionFactory expressionFactory,
CombiningAlgRegistry combiningAlgRegistry)
throws IllegalArgumentException {
if (jaxbPolicyRef == null) {
throw NULL_POLICY_REF_EXCEPTION;
}
this.refToSelf = jaxbPolicyRef;
final IdReferenceType jaxbIdRef = jaxbPolicyRef.getValue();
final String id = jaxbIdRef.getValue();
if (id == null)
{
if (id == null) {
throw NULL_POLICY_ID_EXCEPTION;
}
this.policyId = id;
final String version = jaxbIdRef.getVersion();
if (version == null)
{
if (version == null) {
throw NULL_VERSION_EXCEPTION;
}
this.policyVersion = version;
this.policyVersion = new PolicyVersion(version);
this.toString = this.getClass().getSimpleName() + "[" + this.policyId + "#v" + this.policyVersion + "]";
this.toString = this.getClass().getSimpleName() + "[" + this.policyId
+ "#v" + this.policyVersion + "]";
/*
* Note that we ignore the PolicyIssuer in the hashCode because it is ignored/unused as well in PolicyIdReferences. So we consider it is useless for
* identification in the XACML model.
* Note that we ignore the PolicyIssuer in the hashCode because it is
* ignored/unused as well in PolicyIdReferences. So we consider it is
* useless for identification in the XACML model.
*/
this.hashCode = Objects.hash(this.getClass(), this.policyId, this.policyVersion);
this.hashCode = Objects.hash(this.getClass(), this.policyId,
this.policyVersion);
try
{
this.targetEvaluator = new TargetEvaluator(policyTarget, defaultXPathCompiler, expressionFactory);
} catch (IllegalArgumentException e)
{
try {
this.targetEvaluator = new TargetEvaluator(policyTarget,
defaultXPathCompiler, expressionFactory);
} catch (IllegalArgumentException e) {
throw new IllegalArgumentException(this + ": Invalid Target", e);
}
this.combiningAlgId = combiningAlgId;
final CombiningAlg<T> combiningAlg;
try
{
combiningAlg = combiningAlgRegistry.getAlgorithm(combiningAlgId, combinedElementClass);
} catch (IllegalArgumentException e)
{
throw new IllegalArgumentException(this + ": Unknown combining algorithm ID = " + combiningAlgId, e);
try {
combiningAlg = combiningAlgRegistry.getAlgorithm(combiningAlgId,
combinedElementClass);
} catch (IllegalArgumentException e) {
throw new IllegalArgumentException(this
+ ": Unknown combining algorithm ID = " + combiningAlgId, e);
}
this.combiningAlgEvaluator = combiningAlg.getInstance(combinerParameters, combinedElements);
try
{
this.pepActionExps = PolicyPepActionExpressionsEvaluator.getInstance(obligationExps, adviceExps, defaultXPathCompiler, expressionFactory);
} catch (IllegalArgumentException | ParsingException e)
{
throw new IllegalArgumentException(this + ": Invalid AttributeAssignmentExpressions", e);
this.combiningAlgEvaluator = combiningAlg.getInstance(
combinerParameters, combinedElements);
try {
this.pepActionExps = PolicyPepActionExpressionsEvaluator
.getInstance(obligationExps, adviceExps,
defaultXPathCompiler, expressionFactory);
} catch (IllegalArgumentException | ParsingException e) {
throw new IllegalArgumentException(this
+ ": Invalid AttributeAssignmentExpressions", e);
}
this.localVariableIds = localVariableIds == null ? Collections.<String> emptySet() : localVariableIds;
this.localVariableIds = localVariableIds == null ? Collections
.<String> emptySet() : localVariableIds;
}
/**
* Policy(Set) evaluation which option to skip Target evaluation. The option is to be used by Only-one-applicable algorithm with value 'true', after calling
* {@link #isApplicable(EvaluationContext)} in particular.
* Policy(Set) evaluation which option to skip Target evaluation. The option
* is to be used by Only-one-applicable algorithm with value 'true', after
* calling {@link #isApplicable(EvaluationContext)} in particular.
*
* @param context
* evaluation context
......@@ -242,33 +276,28 @@ public abstract class GenericPolicyEvaluator<T extends Decidable> implements IPo
* @return decision result
*/
@Override
public DecisionResult evaluate(EvaluationContext context, boolean skipTarget)
{
try
{
public DecisionResult evaluate(EvaluationContext context, boolean skipTarget) {
try {
final DecisionResult algResult;
if (skipTarget)
{
if (skipTarget) {
// evaluate with combining algorithm
algResult = combiningAlgEvaluator.eval(context);
LOGGER.debug("{}/Algorithm -> {}", policyId, algResult);
} else
{
} else {
// evaluate target
IndeterminateEvaluationException targetMatchIndeterminateException = null;
try
{
if (!isApplicable(context))
{
try {
if (!isApplicable(context)) {
LOGGER.debug("{} -> NotApplicable", policyId);
return BaseDecisionResult.NOT_APPLICABLE;
}
} catch (IndeterminateEvaluationException e)
{
} catch (IndeterminateEvaluationException e) {
targetMatchIndeterminateException = e;
/*
* Before we lose the exception information, log it at a higher level because it is an evaluation error (but no critical application error,
* therefore lower level than error)
* Before we lose the exception information, log it at a
* higher level because it is an evaluation error (but no
* critical application error, therefore lower level than
* error)
*/
LOGGER.info("{}/Target -> Indeterminate", policyId, e);
}
......@@ -277,18 +306,18 @@ public abstract class GenericPolicyEvaluator<T extends Decidable> implements IPo
algResult = combiningAlgEvaluator.eval(context);
LOGGER.debug("{}/Algorithm -> {}", policyId, algResult);
if (targetMatchIndeterminateException != null)
{
// FIXME: implement Extended Indeterminates according to table 7 section 7.14
// (XACML
// 3.0)
if (algResult.getDecision() == DecisionType.NOT_APPLICABLE)
{
if (targetMatchIndeterminateException != null) {
/*
* FIXME: implement Extended Indeterminates according to
* table 7 section 7.14 (XACML 3.0)
*/
if (algResult.getDecision() == DecisionType.NOT_APPLICABLE) {
return algResult;
}
// everything else considered as Indeterminate
return new BaseDecisionResult(targetMatchIndeterminateException.getStatus());
return new BaseDecisionResult(
targetMatchIndeterminateException.getStatus());
}
}
......@@ -296,87 +325,87 @@ public abstract class GenericPolicyEvaluator<T extends Decidable> implements IPo
final DecisionType algResultDecision = algResult.getDecision();
final PepActions pepActions;
final List<JAXBElement<IdReferenceType>> applicablePolicyIdList;
switch (algResultDecision)
{
switch (algResultDecision) {
case NOT_APPLICABLE:
return algResult;
case INDETERMINATE:
if (context.isApplicablePolicyIdListReturned())
{
applicablePolicyIdList = algResult.getApplicablePolicyIdList();
if (context.isApplicablePolicyIdListReturned()) {
applicablePolicyIdList = algResult
.getApplicablePolicyIdList();
applicablePolicyIdList.add(this.refToSelf);
// PEP actions not returned with Indeterminate
pepActions = null;
} else
{
} else {
return algResult;
}
break;
default:
if (context.isApplicablePolicyIdListReturned())
{
applicablePolicyIdList = algResult.getApplicablePolicyIdList();
if (context.isApplicablePolicyIdListReturned()) {
applicablePolicyIdList = algResult
.getApplicablePolicyIdList();
applicablePolicyIdList.add(this.refToSelf);
} else
{
} else {
// applicable policy identifiers are NOT requested
applicablePolicyIdList = null;
}
if (pepActionExps == null)
{
if (applicablePolicyIdList == null)
{
if (pepActionExps == null) {
if (applicablePolicyIdList == null) {
// nothing to add to the combining alg eval result
return algResult;
}
// no PEP actions on this Policy(Set) explicitly but maybe on the children evaluated by combining algorithm
// so we take the PEP actions resulting of algorithm evaluation as the result PEP actions
// no PEP actions on this Policy(Set) explicitly but maybe
// on the children evaluated by combining algorithm
// so we take the PEP actions resulting of algorithm
// evaluation as the result PEP actions
pepActions = algResult.getPepActions();
} else
{
} else {
// pepActionExps != null -> evaluate pepActionExps
/*
* If any of the attribute assignment expressions in an obligation or advice expression with a matching FulfillOn or AppliesTo attribute
* evaluates to "Indeterminate", then the whole rule, policy, or policy set SHALL be "Indeterminate" (see XACML 3.0 core spec, section
* 7.18).
* If any of the attribute assignment expressions in an
* obligation or advice expression with a matching FulfillOn
* or AppliesTo attribute evaluates to "Indeterminate", then
* the whole rule, policy, or policy set SHALL be
* "Indeterminate" (see XACML 3.0 core spec, section 7.18).
*/
try
{
try {
pepActions = pepActionExps.evaluate(algResult, context);
} catch (IndeterminateEvaluationException e)
{
} catch (IndeterminateEvaluationException e) {
/*
* Before we lose the exception information, log it at a higher level because it is an evaluation error (but no critical application
* error, therefore lower level than error)
* Before we lose the exception information, log it at a
* higher level because it is an evaluation error (but
* no critical application error, therefore lower level
* than error)
*/
LOGGER.info("{}/{Obligation|Advice}Expressions -> Indeterminate", policyId, e);
return new BaseDecisionResult(DecisionType.INDETERMINATE, e.getStatus(), null, applicablePolicyIdList);
LOGGER.info(
"{}/{Obligation|Advice}Expressions -> Indeterminate",
policyId, e);
return new BaseDecisionResult(
DecisionType.INDETERMINATE, e.getStatus(),
null, applicablePolicyIdList);
}
}
}
return new BaseDecisionResult(algResultDecision, algResult.getStatus(), pepActions, applicablePolicyIdList);
} finally
{
return new BaseDecisionResult(algResultDecision,
algResult.getStatus(), pepActions, applicablePolicyIdList);
} finally {
// remove local variables from context
for (final String varId : this.localVariableIds)
{
for (final String varId : this.localVariableIds) {
context.removeVariable(varId);
}
}
}
@Override
public boolean isApplicable(EvaluationContext context) throws IndeterminateEvaluationException
{
public boolean isApplicable(EvaluationContext context)
throws IndeterminateEvaluationException {
/*
* Null or empty Target matches all
*/
if (targetEvaluator == null)
{
if (targetEvaluator == null) {
LOGGER.debug("{}/Target (none/empty) -> Match", policyId);
return true;
}
......@@ -387,54 +416,53 @@ public abstract class GenericPolicyEvaluator<T extends Decidable> implements IPo
}
@Override
public DecisionResult evaluate(EvaluationContext context)
{
public DecisionResult evaluate(EvaluationContext context) {
return evaluate(context, false);
}
@Override
public String toString()
{
public String toString() {
return toString;
}
@Override
public int hashCode()
{
public int hashCode() {
return hashCode;
}
@Override
public boolean equals(Object obj)
{
public boolean equals(Object obj) {
// Effective Java - Item 8
if (this == obj)
{
if (this == obj) {
return true;
}
// if not both PolicyEvaluators or not both PolicySetEvaluators
if (obj == null || this.getClass() != obj.getClass())
{
if (obj == null || this.getClass() != obj.getClass()) {
return false;
}
final GenericPolicyEvaluator<?> other = (GenericPolicyEvaluator<?>) obj;
/*
* We ignore the policyIssuer because it is no part of PolicyReferences, therefore we consider it is not part of the Policy uniqueness
* We ignore the policyIssuer because it is no part of PolicyReferences,
* therefore we consider it is not part of the Policy uniqueness
*/
return this.policyId.equals(other.policyId) && this.policyVersion.equals(other.policyVersion);
return this.policyId.equals(other.policyId)
&& this.policyVersion.equals(other.policyVersion);
}
@Override
public String getPolicyId()
{
public String getPolicyId() {
return this.policyId;
}
@Override
public String getCombiningAlgId()
{
public PolicyVersion getPolicyVersion() {