Commit 15f43c13 authored by cdanger's avatar cdanger

- POM: changed parent version: 3.4.0 -> 4.0.0

- POM: changed project version: 5.0.3-SNAPSHOT -> 6.0.0
- POM: changed dep version: authzforce-ce-core-pdp-api 7.1.2-SNAPSHOT ->
8.0.0-SNAPSHOT
- POM: added owasp-dependency-check plugin
- Replaced classes (Ordered)Deny/PermitOverridesCombiningAlg with
DPOverridesCombiningAlg
- Replaced classes Deny/PermitUnlessPermit/DenyCombiningAlg with
DPUnlessPDCombiningAlg 
- LogicalNOfFunction: first parameter (minimum of TRUE arguments to
return TRUE) checked at Apply parsing time if constant
- Substring function: second and third arguments checked at Apply
parsing time if constant (arg1 >= 0, arg2 == -1 || arg2 >= arg1)
- XACML Condition: expression checked whether constant FALSE -> illegal
(or TRUE -> optimized)
- Fixed issues with unit tests 
parent 0b81ddc7
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: mailapi-1.5.6.jar
]]></notes>
<gav regex="true">^com\.sun\.mail:mailapi:.*$</gav>
<cve>CVE-2007-6059</cve>
</suppress>
</suppressions>
\ No newline at end of file
......@@ -3,10 +3,10 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-parent</artifactId>
<version>3.4.0</version>
<version>4.0.0-SNAPSHOT</version>
</parent>
<artifactId>authzforce-ce-core</artifactId>
<version>5.0.3-SNAPSHOT</version>
<version>6.0.0-SNAPSHOT</version>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthZForce Community Edition - XACML-compliant Core Engine</description>
<url>https://tuleap.ow2.org/projects/authzforce</url>
......@@ -35,7 +35,6 @@
<!-- For loading XML schemas with OASIS catalog (CatalogManager) -->
<groupId>xml-resolver</groupId>
<artifactId>xml-resolver</artifactId>
<version>1.2</version>
</dependency>
<!-- /Third-party dependencies -->
......@@ -43,7 +42,7 @@
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core-pdp-api</artifactId>
<version>7.1.2-SNAPSHOT</version>
<version>8.0.0-SNAPSHOT</version>
</dependency>
<!-- /Authzforce dependencies -->
......@@ -63,6 +62,22 @@
</dependencies>
<build>
<plugins>
<plugin>
<!-- Consider combining with Red Hat Victims and OSS Index. More info on Victims vs. Dependency-check: https://bugzilla.redhat.com/show_bug.cgi?id=1388712 -->
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<!-- The plugin has numerous issues with version matching, which triggers false positives so we need a "suppresion" file for those. More info: https://github.com/jeremylong/DependencyCheck/issues -->
<suppressionFile>owasp-dependency-check-suppression.xml</suppressionFile>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
......@@ -202,7 +217,6 @@
<!-- Test configuration -->
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.12.4</version>
<configuration>
<skipTests>false</skipTests>
<systemPropertyVariables>
......@@ -216,7 +230,6 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>2.6</version>
<executions>
<execution>
<goals>
......
......@@ -21,14 +21,13 @@ package org.ow2.authzforce.core.pdp.impl;
import java.util.Map;
import java.util.Set;
import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.PdpExtension;
import org.ow2.authzforce.core.pdp.api.PdpExtensionRegistry;
import com.google.common.base.Function;
import com.google.common.base.Preconditions;
import com.google.common.collect.Maps;
import com.koloboke.collect.map.hash.HashObjObjMaps;
import com.koloboke.collect.set.hash.HashObjSets;
/**
* This is a base implementation of <code>PdpExtensionRegistry</code>. This should be used as basis to implement (in a final class) an immutable PDP extension registry of a specific type. If you need
......@@ -58,7 +57,7 @@ public abstract class BasePdpExtensionRegistry<T extends PdpExtension> implement
assert extensionClass != null && extensionsById != null;
this.extClass = extensionClass;
this.extensionsById = HashObjObjMaps.newImmutableMap(extensionsById);
this.extensionsById = HashCollections.newImmutableMap(extensionsById);
this.toString = this + "( extensionClass= " + extClass.getCanonicalName() + " )";
}
......@@ -73,7 +72,7 @@ public abstract class BasePdpExtensionRegistry<T extends PdpExtension> implement
@Override
public final Set<T> getExtensions()
{
return HashObjSets.newImmutableSet(extensionsById.values());
return HashCollections.newImmutableSet(extensionsById.values());
}
private static final class ExtensionToIdFunction<E extends PdpExtension> implements Function<E, String>
......
......@@ -31,6 +31,7 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import org.ow2.authzforce.core.pdp.api.AttributeGUID;
import org.ow2.authzforce.core.pdp.api.BaseRequestFilter;
import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.ImmutableIndividualDecisionRequest;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.IndividualDecisionRequest;
......@@ -41,8 +42,6 @@ import org.ow2.authzforce.core.pdp.api.StatusHelper;
import org.ow2.authzforce.core.pdp.api.value.Bag;
import org.ow2.authzforce.core.pdp.api.value.DatatypeFactoryRegistry;
import com.koloboke.collect.map.hash.HashObjObjMaps;
/**
* Default Request filter for Individual Decision Requests only (no support of Multiple Decision Profile in particular)
*
......@@ -118,8 +117,8 @@ public final class DefaultRequestFilter extends BaseRequestFilter
public List<? extends IndividualDecisionRequest> filter(final List<Attributes> attributesList, final JaxbXACMLAttributesParser xacmlAttrsParser, final boolean isApplicablePolicyIdListReturned,
final boolean combinedDecision, final XPathCompiler xPathCompiler, final Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
{
final Map<AttributeGUID, Bag<?>> namedAttributes = HashObjObjMaps.newUpdatableMap(attributesList.size());
final Map<String, XdmNode> extraContentsByCategory = HashObjObjMaps.newUpdatableMap(attributesList.size());
final Map<AttributeGUID, Bag<?>> namedAttributes = HashCollections.newUpdatableMap(attributesList.size());
final Map<String, XdmNode> extraContentsByCategory = HashCollections.newUpdatableMap(attributesList.size());
/*
* attributesToIncludeInResult.size() <= attributesList.size()
*/
......@@ -135,14 +134,18 @@ public final class DefaultRequestFilter extends BaseRequestFilter
continue;
}
final XdmNode oldVal = extraContentsByCategory.put(categoryName, categorySpecificAttributes.getExtraContent());
/*
* No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple Decision Profile. So we must check duplicate attribute categories.
*/
if (oldVal != null)
final XdmNode newContentNode = categorySpecificAttributes.getExtraContent();
if (newContentNode != null)
{
throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName
+ "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", StatusHelper.STATUS_SYNTAX_ERROR);
final XdmNode oldContentNode = extraContentsByCategory.put(categoryName, newContentNode);
/*
* No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple Decision Profile. So we must check duplicate attribute categories.
*/
if (oldContentNode != null)
{
throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName
+ "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", StatusHelper.STATUS_SYNTAX_ERROR);
}
}
/*
......
......@@ -29,6 +29,7 @@ import net.sf.saxon.s9api.XdmNode;
import org.ow2.authzforce.core.pdp.api.AttributeGUID;
import org.ow2.authzforce.core.pdp.api.AttributeSelectorId;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.IndividualDecisionRequest;
import org.ow2.authzforce.core.pdp.api.StatusHelper;
......@@ -42,8 +43,6 @@ import org.ow2.authzforce.core.pdp.api.value.Value;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.koloboke.collect.map.hash.HashObjObjMaps;
/**
* An {@link EvaluationContext} associated to an XACML Individual Decision Request, i.e. for evaluation to a single authorization decision Result (see Multiple Decision Profile spec for more
* information on Individual Decision Request as opposed to Multiple Decision Request).
......@@ -59,9 +58,9 @@ public final class IndividualDecisionRequestContext implements EvaluationContext
private final Map<AttributeGUID, Bag<?>> namedAttributes;
private final Map<String, Value> varValsById = HashObjObjMaps.newMutableMap();
private final Map<String, Value> varValsById = HashCollections.newMutableMap();
private final Map<String, Object> mutableProperties = HashObjObjMaps.newMutableMap();
private final Map<String, Object> mutableProperties = HashCollections.newMutableMap();
/*
* Corresponds to Attributes/Content (by attribute category) marshalled to XPath data model for XPath evaluation: AttributeSelector evaluation, XPath-based functions, etc. This may be empty if no
......@@ -99,7 +98,7 @@ public final class IndividualDecisionRequestContext implements EvaluationContext
public IndividualDecisionRequestContext(final Map<AttributeGUID, Bag<?>> namedAttributeMap, final Map<String, XdmNode> extraContentsByAttributeCategory,
final boolean returnApplicablePolicyIdList, final boolean returnUsedAttributes)
{
this.namedAttributes = namedAttributeMap == null ? HashObjObjMaps.<AttributeGUID, Bag<?>> newUpdatableMap() : namedAttributeMap;
this.namedAttributes = namedAttributeMap == null ? HashCollections.<AttributeGUID, Bag<?>> newUpdatableMap() : namedAttributeMap;
this.returnApplicablePolicyIdList = returnApplicablePolicyIdList;
this.usedNamedAttributeIdSet = returnUsedAttributes ? UpdatableCollections.<AttributeGUID> newUpdatableSet() : UpdatableCollections.<AttributeGUID> emptySet();
if (extraContentsByAttributeCategory == null)
......
......@@ -21,42 +21,38 @@ package org.ow2.authzforce.core.pdp.impl;
import java.util.Arrays;
import java.util.List;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeDesignatorType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeSelectorType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeValueType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Match;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.expression.Expression;
import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.expression.FunctionExpression;
import org.ow2.authzforce.core.pdp.api.func.Function;
import org.ow2.authzforce.core.pdp.api.func.FunctionCall;
import org.ow2.authzforce.core.pdp.api.value.AttributeValue;
import org.ow2.authzforce.core.pdp.api.value.BooleanValue;
import org.ow2.authzforce.core.pdp.impl.func.StandardFunction;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeDesignatorType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeSelectorType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeValueType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Match;
/**
* XACML Match evaluator. This is the part of the Target that actually evaluates
* whether the specified attribute values in the Target match the corresponding
* attribute values in the request context.
* XACML Match evaluator. This is the part of the Target that actually evaluates whether the specified attribute values in the Target match the corresponding attribute values in the request context.
*
* @version $Id: $
*/
public final class MatchEvaluator
{
private static final IllegalArgumentException NULL_XACML_MATCH_ARGUMENT_EXCEPTION = new IllegalArgumentException(
"Undefined input XACML Match element");
private static final IllegalArgumentException NULL_XACML_EXPRESSION_FACTORY_ARGUMENT_EXCEPTION = new IllegalArgumentException(
"Undefined input XACML Expression parser");
private static final IllegalArgumentException NULL_XACML_MATCH_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined input XACML Match element");
private static final IllegalArgumentException NULL_XACML_EXPRESSION_FACTORY_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined input XACML Expression parser");
/**
* Any-of function call equivalent to this Match:
* <p>
* Match(matchFunction, attributeValue, bagExpression) =
* anyOf(matchFunction, attributeValue, bagExpression)
* Match(matchFunction, attributeValue, bagExpression) = anyOf(matchFunction, attributeValue, bagExpression)
*/
private final transient FunctionCall<BooleanValue> anyOfFuncCall;
......@@ -68,13 +64,11 @@ public final class MatchEvaluator
* @param expFactory
* bagExpression factory
* @param xPathCompiler
* XPath compiler corresponding to enclosing policy(set) default
* XPath version
* XPath compiler corresponding to enclosing policy(set) default XPath version
* @throws java.lang.IllegalArgumentException
* null {@code expFactory} or null/empty {@code jaxbMatch}
*/
public MatchEvaluator(final Match jaxbMatch, final XPathCompiler xPathCompiler, final ExpressionFactory expFactory)
throws IllegalArgumentException
public MatchEvaluator(final Match jaxbMatch, final XPathCompiler xPathCompiler, final ExpressionFactory expFactory) throws IllegalArgumentException
{
if (jaxbMatch == null)
{
......@@ -89,7 +83,7 @@ public final class MatchEvaluator
// get the matchFunction type, making sure that it's really a correct
// Target matchFunction
final String matchId = jaxbMatch.getMatchId();
final Function<?> matchFunction = expFactory.getFunction(matchId);
final FunctionExpression matchFunction = expFactory.getFunction(matchId);
if (matchFunction == null)
{
throw new IllegalArgumentException("Unsupported function for MatchId: " + matchId);
......@@ -99,8 +93,7 @@ public final class MatchEvaluator
// value paired with it
final AttributeDesignatorType attributeDesignator = jaxbMatch.getAttributeDesignator();
final AttributeSelectorType attributeSelector = jaxbMatch.getAttributeSelector();
final Expression<?> bagExpression = expFactory.getInstance(
attributeDesignator == null ? attributeSelector : attributeDesignator, xPathCompiler, null);
final Expression<?> bagExpression = expFactory.getInstance(attributeDesignator == null ? attributeSelector : attributeDesignator, xPathCompiler, null);
final AttributeValueType attributeValue = jaxbMatch.getAttributeValue();
final Expression<? extends AttributeValue> attrValueExpr;
......@@ -113,42 +106,35 @@ public final class MatchEvaluator
throw new IllegalArgumentException("Invalid <Match>'s <AttributeValue>", e);
}
// Match(matchFunction, attributeValue, bagExpression) =
// anyOf(matchFunction,
// attributeValue, bagExpression)
final Function<BooleanValue> anyOfFunc = (Function<BooleanValue>) expFactory
.getFunction(StandardFunction.ANY_OF.getId());
if (anyOfFunc == null)
/*
* Match(matchFunction, attributeValue, bagExpression) = anyOf(matchFunction, attributeValue, bagExpression)
*/
final FunctionExpression funcExp = expFactory.getFunction(StandardFunction.ANY_OF.getId());
if (funcExp == null)
{
throw new IllegalArgumentException(
"Unsupported function '" + StandardFunction.ANY_OF.getId() + "' required for Match evaluation");
throw new IllegalArgumentException("Unsupported function '" + StandardFunction.ANY_OF.getId() + "' required for Match evaluation");
}
final List<Expression<?>> anyOfFuncInputs = Arrays.<Expression<?>> asList(matchFunction, attrValueExpr,
bagExpression);
final Function<BooleanValue> anyOfFunc = funcExp.getValue();
final List<Expression<?>> anyOfFuncInputs = Arrays.<Expression<?>> asList(matchFunction, attrValueExpr, bagExpression);
try
{
this.anyOfFuncCall = anyOfFunc.newCall(anyOfFuncInputs);
}
catch (final IllegalArgumentException e)
{
throw new IllegalArgumentException(
"Invalid inputs (Expressions) to the Match (validated using the equivalent standard 'any-of' function definition): "
+ anyOfFuncInputs,
e);
throw new IllegalArgumentException("Invalid inputs (Expressions) to the Match (validated using the equivalent standard 'any-of' function definition): " + anyOfFuncInputs, e);
}
}
/**
* Determines whether this <code>Match</code> matches the input request
* (whether it is applicable)
* Determines whether this <code>Match</code> matches the input request (whether it is applicable)
*
* @param context
* the evaluation context
* @return true iff the context matches
* @throws org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException
* error occurred evaluating the Match element in this
* evaluation {@code context}
* error occurred evaluating the Match element in this evaluation {@code context}
*/
public boolean match(final EvaluationContext context) throws IndeterminateEvaluationException
{
......@@ -159,8 +145,7 @@ public final class MatchEvaluator
}
catch (final IndeterminateEvaluationException e)
{
throw new IndeterminateEvaluationException("Error evaluating Match (with equivalent 'any-of' function)",
e.getStatusCode(), e);
throw new IndeterminateEvaluationException("Error evaluating Match (with equivalent 'any-of' function)", e.getStatusCode(), e);
}
return anyOfFuncCallResult.getUnderlyingValue().booleanValue();
......
......@@ -23,16 +23,15 @@ import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import net.sf.saxon.s9api.XdmNode;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import org.ow2.authzforce.core.pdp.api.AttributeGUID;
import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.IndividualDecisionRequest;
import org.ow2.authzforce.core.pdp.api.SingleCategoryAttributes;
import org.ow2.authzforce.core.pdp.api.value.Bag;
import com.koloboke.collect.map.hash.HashObjObjMaps;
import net.sf.saxon.s9api.XdmNode;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
/**
* Mutable Individual Decision Request
*
......@@ -40,10 +39,8 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
*/
public final class MutableIndividualDecisionRequest implements IndividualDecisionRequest
{
private static final IllegalArgumentException UNDEF_ATTRIBUTES_EXCEPTION = new IllegalArgumentException(
"Undefined attributes");
private static final IllegalArgumentException UNDEF_ATTRIBUTE_CATEGORY_EXCEPTION = new IllegalArgumentException(
"Undefined attribute category");
private static final IllegalArgumentException UNDEF_ATTRIBUTES_EXCEPTION = new IllegalArgumentException("Undefined attributes");
private static final IllegalArgumentException UNDEF_ATTRIBUTE_CATEGORY_EXCEPTION = new IllegalArgumentException("Undefined attribute category");
private final Map<AttributeGUID, Bag<?>> namedAttributes;
......@@ -61,8 +58,8 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
public MutableIndividualDecisionRequest(final boolean returnPolicyIdList)
{
// these maps/lists may be updated later by put(...) method defined in this class
namedAttributes = HashObjObjMaps.newUpdatableMap();
extraContentsByCategory = HashObjObjMaps.newUpdatableMap();
namedAttributes = HashCollections.newUpdatableMap();
extraContentsByCategory = HashCollections.newUpdatableMap();
attributesToIncludeInResult = new ArrayList<>();
returnApplicablePolicyIdList = returnPolicyIdList;
}
......@@ -79,13 +76,9 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
final Map<AttributeGUID, Bag<?>> baseNamedAttributes = baseRequest.getNamedAttributes();
final Map<String, XdmNode> baseExtraContentsByCategory = baseRequest.getExtraContentsByCategory();
final List<Attributes> baseReturnedAttributes = baseRequest.getReturnedAttributes();
namedAttributes = baseNamedAttributes == null ? HashObjObjMaps.<AttributeGUID, Bag<?>>newUpdatableMap()
: HashObjObjMaps.newUpdatableMap(baseNamedAttributes);
extraContentsByCategory = baseExtraContentsByCategory == null
? HashObjObjMaps.<String, XdmNode>newUpdatableMap()
: HashObjObjMaps.newUpdatableMap(baseExtraContentsByCategory);
attributesToIncludeInResult = baseReturnedAttributes == null ? new ArrayList<Attributes>()
: new ArrayList<>(baseRequest.getReturnedAttributes());
namedAttributes = baseNamedAttributes == null ? HashCollections.<AttributeGUID, Bag<?>> newUpdatableMap() : HashCollections.newUpdatableMap(baseNamedAttributes);
extraContentsByCategory = baseExtraContentsByCategory == null ? HashCollections.<String, XdmNode> newUpdatableMap() : HashCollections.newUpdatableMap(baseExtraContentsByCategory);
attributesToIncludeInResult = baseReturnedAttributes == null ? new ArrayList<>() : new ArrayList<>(baseRequest.getReturnedAttributes());
returnApplicablePolicyIdList = baseRequest.isApplicablePolicyIdListReturned();
}
......@@ -97,11 +90,9 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
* @param categorySpecificAttributes
* attributes in category {@code categoryName}
* @throws java.lang.IllegalArgumentException
* if {@code categoryName == null || attributes == null} or duplicate attribute category
* ({@link #put(String, SingleCategoryAttributes)} already called with same {@code categoryName}
* if {@code categoryName == null || attributes == null} or duplicate attribute category ({@link #put(String, SingleCategoryAttributes)} already called with same {@code categoryName}
*/
public void put(final String categoryName, final SingleCategoryAttributes<?> categorySpecificAttributes)
throws IllegalArgumentException
public void put(final String categoryName, final SingleCategoryAttributes<?> categorySpecificAttributes) throws IllegalArgumentException
{
if (categoryName == null)
{
......@@ -115,17 +106,19 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
// extraContentsByCategory initialized not null by constructors
assert extraContentsByCategory != null;
final XdmNode oldVal = extraContentsByCategory.put(categoryName, categorySpecificAttributes.getExtraContent());
if (oldVal != null)
final XdmNode newContentNode = categorySpecificAttributes.getExtraContent();
if (newContentNode != null)
{
throw new IllegalArgumentException(
"Duplicate Attributes[@Category] in Individual Decision Request (not allowed): " + categoryName);
final XdmNode oldContentNode = extraContentsByCategory.put(categoryName, newContentNode);
if (oldContentNode != null)
{
throw new IllegalArgumentException("Duplicate Attributes[@Category] in Individual Decision Request (not allowed): " + categoryName);
}
}
/*
* Convert growable (therefore mutable) bag of attribute values to immutable ones. Indeed, we must guarantee
* that attribute values remain constant during the evaluation of the request, as mandated by the XACML spec,
* section 7.3.5: <p> <i>
* Convert growable (therefore mutable) bag of attribute values to immutable ones. Indeed, we must guarantee that attribute values remain constant during the evaluation of the request, as
* mandated by the XACML spec, section 7.3.5: <p> <i>
* "Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated in the context before it is first tested, and is thereafter immutable during evaluation. (That is, every subsequent test of that attribute shall use the same bag of values that was initially tested.)"
* </i></p>
*/
......@@ -134,8 +127,7 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
namedAttributes.put(attrEntry.getKey(), attrEntry.getValue());
}
final Attributes catSpecificAttrsToIncludeInResult = categorySpecificAttributes
.getAttributesToIncludeInResult();
final Attributes catSpecificAttrsToIncludeInResult = categorySpecificAttributes.getAttributesToIncludeInResult();
if (catSpecificAttrsToIncludeInResult != null)
{
attributesToIncludeInResult.add(catSpecificAttrsToIncludeInResult);
......
......@@ -37,6 +37,7 @@ import org.ow2.authzforce.core.pdp.api.CloseablePDP;
import org.ow2.authzforce.core.pdp.api.DecisionCache;
import org.ow2.authzforce.core.pdp.api.DecisionResultFilter;
import org.ow2.authzforce.core.pdp.api.EnvironmentProperties;
import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.IndividualDecisionRequest;
import org.ow2.authzforce.core.pdp.api.PdpDecisionResult;
......@@ -62,8 +63,6 @@ import org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.koloboke.collect.map.hash.HashObjObjMaps;
/**
* This is the core XACML PDP engine implementation. To build an XACML policy engine, you start by instantiating this object directly or in a easier and preferred way, using
* {@link PdpConfigurationParser}.
......@@ -117,7 +116,7 @@ public final class PDPImpl implements CloseablePDP
*/
// current datetime in default timezone
final DateTimeValue currentDateTimeValue = new DateTimeValue(new GregorianCalendar());
return HashObjObjMaps.<AttributeGUID, Bag<?>> newImmutableMapOf(
return HashCollections.<AttributeGUID, Bag<?>> newImmutableMap(
// current date-time
StandardEnvironmentAttribute.CURRENT_DATETIME.getGUID(),
Bags.singleton(StandardDatatypes.DATETIME_FACTORY.getDatatype(), currentDateTimeValue),
......@@ -215,7 +214,7 @@ public final class PDPImpl implements CloseablePDP
/*
* There will be at most as many new results (not in cache) as there are individual decision requests
*/
final Map<INDIVIDUAL_DECISION_REQ_T, PdpDecisionResult> newResultsByRequest = HashObjObjMaps.newUpdatableMap(individualDecisionRequests.size());
final Map<INDIVIDUAL_DECISION_REQ_T, PdpDecisionResult> newResultsByRequest = HashCollections.newUpdatableMap(individualDecisionRequests.size());
for (final INDIVIDUAL_DECISION_REQ_T individualDecisionRequest : individualDecisionRequests)
{
final PdpDecisionResult finalResult;
......
......@@ -25,6 +25,7 @@ import java.util.ServiceLoader;
import java.util.Set;
import org.ow2.authzforce.core.pdp.api.DecisionResultFilter;
import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.pdp.api.JaxbBoundPdpExtension;
import org.ow2.authzforce.core.pdp.api.PdpExtension;
import org.ow2.authzforce.core.pdp.api.RequestFilter;
......@@ -35,8 +36,6 @@ import org.ow2.authzforce.xmlns.pdp.ext.AbstractPdpExtension;
import com.google.common.collect.HashBasedTable;
import com.google.common.collect.Table;
import com.koloboke.collect.map.hash.HashObjObjMaps;
import com.koloboke.collect.set.hash.HashObjSets;
/**
* Loads PDP extensions (implementing {@link PdpExtension}) from classpath using {@link ServiceLoader}.
......@@ -55,7 +54,7 @@ public final class PdpExtensionLoader
/**
* Types of zero-conf (non-JAXB-bound) extension
*/
private static final Set<Class<? extends PdpExtension>> NON_JAXB_BOUND_EXTENSION_CLASSES = HashObjSets.newImmutableSet(Arrays.asList(DatatypeFactory.class, Function.class, CombiningAlg.class,
private static final Set<Class<? extends PdpExtension>> NON_JAXB_BOUND_EXTENSION_CLASSES = HashCollections.newImmutableSet(Arrays.asList(DatatypeFactory.class, Function.class, CombiningAlg.class,
RequestFilter.Factory.class, DecisionResultFilter.class));
/*
......@@ -72,7 +71,7 @@ public final class PdpExtensionLoader
static
{
final Table<Class<? extends PdpExtension>, String, PdpExtension> mutableNonJaxbBoundExtMapByClassAndId = HashBasedTable.create();
final Map<Class<? extends AbstractPdpExtension>, JaxbBoundPdpExtension<? extends AbstractPdpExtension>> mutableJaxbBoundExtMapByClass = HashObjObjMaps.newUpdatableMap();
final Map<Class<? extends AbstractPdpExtension>, JaxbBoundPdpExtension<? extends AbstractPdpExtension>> mutableJaxbBoundExtMapByClass = HashCollections.newUpdatableMap();
/*
* REMINDER: every service provider (implementation class) loaded by ServiceLoader MUST HAVE a ZERO-ARGUMENT CONSTRUCTOR.
......@@ -117,8 +116,8 @@ public final class PdpExtensionLoader
}
}
NON_JAXB_BOUND_EXTENSIONS_BY_CLASS_AND_ID = HashObjObjMaps.newImmutableMap(mutableNonJaxbBoundExtMapByClassAndId.rowMap());
JAXB_BOUND_EXTENSIONS_BY_JAXB_CLASS = HashObjObjMaps.newImmutableMap(mutableJaxbBoundExtMapByClass);
NON_JAXB_BOUND_EXTENSIONS_BY_CLASS_AND_ID = HashCollections.newImmutableMap(mutableNonJaxbBoundExtMapByClassAndId.rowMap());
JAXB_BOUND_EXTENSIONS_BY_JAXB_CLASS = HashCollections.newImmutableMap(mutableJaxbBoundExtMapByClass);
}
/**
......@@ -128,7 +127,7 @@ public final class PdpExtensionLoader
*/
public static Set<Class<? extends AbstractPdpExtension>> getExtensionJaxbClasses()
{
return HashObjSets.newImmutableSet(JAXB_BOUND_EXTENSIONS_BY_JAXB_CLASS.keySet());
return HashCollections.newImmutableSet(JAXB_BOUND_EXTENSIONS_BY_JAXB_CLASS.keySet());
}
/**
......@@ -153,7 +152,7 @@ public final class PdpExtensionLoader
return Collections.emptySet();
}
return HashObjSets.newImmutableSet(typeSpecificExtsById.keySet());
return HashCollections.newImmutableSet(typeSpecificExtsById.keySet());
}
/**
......
......@@ -34,13 +34,12 @@ import javax.xml.bind.Unmarshaller;
import javax.xml.transform.Source;
import javax.xml.validation.Schema;
import org.ow2.authzforce.core.pdp.api.HashCollections;
import org.ow2.authzforce.core.xmlns.pdp.Pdp;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractPdpExtension;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.koloboke.collect.set.hash.HashObjSets;
/**
* PDP Engine XML configuration handler
*
......@@ -69,15 +68,14 @@ public final class PdpModelHandler
private final JAXBContext confJaxbCtx;
/**
* Load Configuration model handler. Parameters here are locations to XSD files. Locations can be any resource
* string supported by Spring ResourceLoader. More info:
* Load Configuration model handler. Parameters here are locations to XSD files. Locations can be any resource string supported by Spring ResourceLoader. More info:
* http://docs.spring.io/spring/docs/current/spring-framework-reference/html/resources.html
*
* For example: classpath:com/myapp/aaa.xsd, file:///data/bbb.xsd, http://myserver/ccc.xsd...
*
* @param extensionXsdLocation
* location of user-defined extension XSD (may be null if no extension to load), if exists; in such XSD,
* there must be a XSD namespace import for each extension used in the PDP configuration, for example:
* location of user-defined extension XSD (may be null if no extension to load), if exists; in such XSD, there must be a XSD namespace import for each extension used in the PDP
* configuration, for example:
*
* <pre>
* {@literal
......@@ -94,27 +92,24 @@ public final class PdpModelHandler
* <xs:import namespace="http://authzforce.github.io/core/xmlns/test/3" />
* </xs:schema>
* }
* </pre>
* </pre>
*
* In this example, the file at {@code catalogLocation} must define the schemaLocation for the imported
* namespace above using a line like this (for an XML-formatted catalog):
* In this example, the file at {@code catalogLocation} must define the schemaLocation for the imported namespace above using a line like this (for an XML-formatted catalog):
*
* <pre>
* {@literal
* <uri name="http://authzforce.github.io/core/xmlns/test/3" uri=
"classpath:org.ow2.authzforce.core.test.xsd" />
* "classpath:org.ow2.authzforce.core.test.xsd" />
* }
* </pre>
* </pre>
*
* We assume that this XML type is an extension of one the PDP extension base types,
* 'AbstractAttributeProvider' (that extends 'AbstractPdpExtension' like all other extension base types)
* in this case.
* We assume that this XML type is an extension of one the PDP extension base types, 'AbstractAttributeProvider' (that extends 'AbstractPdpExtension' like all other extension base
* types) in this case.
* @param catalogLocation
* location of XML catalog for resolving XSDs imported by the pdp.xsd (PDP configuration schema) and the
* extensions XSD specified as 'extensionXsdLocation' argument (may be null)
* location of XML catalog for resolving XSDs imported by the pdp.xsd (PDP configuration schema) and the extensions XSD specified as 'extensionXsdLocation' argument (may be null)
*/
@ConstructorProperties({ "catalogLocation", "extensionXsdLocation" })
public PdpModelHandler(String catalogLocation, String extensionXsdLocation)
public PdpModelHandler(final String catalogLocation, final String extensionXsdLocation)
{
final List<String> schemaLocations;
if (extensionXsdLocation == null)
......@@ -127,15 +122,13 @@ public final class PdpModelHandler
}
/*
* JAXB classes of extensions are generated separately from the extension base type XSD. Therefore
* no @XmlSeeAlso to link to the base type. Therefore any JAXB provider cannot (un)marshall documents using the
* extension base type XSD, unless it is provided with the list of the extra JAXB classes based on the new
* extension XSD. For instance, this is the case for JAXB providers used by REST/SOAP frameworks: Apache CXF,
* Metro, etc. So we need to add to the JAXBContext all the extensions' model (JAXB-generated) classes. These
* have been collected by the PdpExtensionLoader.
* JAXB classes of extensions are generated separately from the extension base type XSD. Therefore no @XmlSeeAlso to link to the base type. Therefore any JAXB provider cannot (un)marshall
* documents using the extension base type XSD, unless it is provided with the list of the extra JAXB classes based on the new extension XSD. For instance, this is the case for JAXB providers
* used by REST/SOAP frameworks: Apache CXF, Metro, etc. So we need to add to the JAXBContext all the extensions' model (JAXB-generated) classes. These have been collected by the
* PdpExtensionLoader.
*/
final Set<Class<? extends AbstractPdpExtension>> extJaxbClasses = PdpExtensionLoader.getExtensionJaxbClasses();
final Set<Class<?>> jaxbBoundClassSet = HashObjSets.<Class<?>>newUpdatableSet(extJaxbClasses.size() + 1);
final Set<Class<?>> jaxbBoundClassSet = HashCollections.<Class<?>> newUpdatableSet(extJaxbClasses.size() + 1);
jaxbBoundClassSet.addAll(extJaxbClasses);
LOGGER.debug("Final list of loaded extension models (JAXB classes): {}", jaxbBoundClassSet);
......@@ -146,7 +139,7 @@ public final class PdpModelHandler
confJaxbCtx = JAXBContext.newInstance(jaxbBoundClassSet.toArray(new Class<?>[jaxbBoundClassSet.size()]));
LOGGER.debug("JAXB context for PDP configuration (un)marshalling: {}", confJaxbCtx);
}
catch (JAXBException e)
catch (final JAXBException e)
{
throw new RuntimeException("Failed to initialize configuration unmarshaller", e);
}
......@@ -155,8 +148,7 @@ public final class PdpModelHandler
final String schemaHandlerCatalogLocation;
if (catalogLocation == null)
{
LOGGER.debug("No XML catalog location specified for PDP schema handler, using default: {}",
DEFAULT_CATALOG_LOCATION);
LOGGER.debug("No XML catalog location specified for PDP schema handler, using default: {}", DEFAULT_CATALOG_LOCATION);
schemaHandlerCatalogLocation = DEFAULT_CATALOG_LOCATION;
}