Commit 1fac5614 authored by cdanger's avatar cdanger

Prepared changelog for next release

parent c3018d38
...@@ -2,6 +2,29 @@ ...@@ -2,6 +2,29 @@
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions. All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions.
## Unreleased ## Unreleased
### Fixed
- #22 (OW2): When handling the same XACML Request twice in the same JVM with the root PolicySet using deny-unless-permit algorithm over a Policy returning simple Deny (no status/obligation/advice) and a Policy returning Permit/Deny with obligations/advice, the obligation is duplicated in the final result at the second time this situation occurs.
- XACML StatusCode XML serialization/marshalling error when Missing Attribute info that is no valid anyURI is returned by PDP in a Indeterminate Result
- Memory management issue: native RootPolicyProvider modules keeping a reference to static refPolicyProvider, even after policies have been resolved statically at initialization time, preventing garbage collection and memory saving.
- Calls to Logger impacted negatively by autoboxing
### Removed
- 'functionSet' element no longer supported in PDP XML configuration schema
### Changed
- Parent project version: authzforce-ce-parent: 3.4.0
- Dependency version: authzforce-ce-core-pdp-api: ???: requires to pass new EnvironmentProperties parameter to AttributeProvider module factories for using global PDP environment properties (such as PDP configuration file's parent directory)
- Interpretation of XACML Request flag ReturnPolicyId=true, considering a policy "applicable" if and only if the decision is not NotApplicable and if it is not a root policy, the same goes for the enclosing policy. See also the discussion on the xacml-comment mailing list: https://lists.oasis-open.org/archives/xacml-comment/201605/msg00004.html
### Added
- New feature enabled by PDP configuration parameter: enum 'standardEnvAttributeSource' to set the source for the Standard Current Time Environment Attribute values (current-date, current-time, current-dateTime): PDP_ONLY, REQUEST_ELSE_PDP, REQUEST_ONLY
- enum StandardFunction that enumerates all standard XACML function IDs
- enum StandardEnvironmentAttribute that enumerates all XACML standard environment attribute identifiers
- enum StandardCombiningAlgoritm that enumerates all standard XACML combining algorithms
### Deprecated
- Ability to marshall internal classes derived from XACML/JAXB Expressions back to the original JAXB Expression: it may consume a significant amount of extra memory, esp. when a nested PolicySet has deep nested Policy(Set)s, and it forces our internal evaluation classes to duplicate information and override many methods. Also it ties the internal model to the JAXB model which is far from optimal for evaluation purposes. Now we consider no longer the responsibility of the PDP to be able to marshall such XACML instances, but the caller's; in particular the classes ApplyExpression, AttributeDesignatorExpression, AttributeSelectorExpression, AttributeAssigmnentExpressionEvaluator no longer extend JAXB classes.
## 4.0.2 ## 4.0.2
### Fixed ### Fixed
......
...@@ -42,24 +42,29 @@ public final class AllOfEvaluator ...@@ -42,24 +42,29 @@ public final class AllOfEvaluator
private static final IllegalArgumentException NO_MATCH_EXCEPTION = new IllegalArgumentException( private static final IllegalArgumentException NO_MATCH_EXCEPTION = new IllegalArgumentException(
"<AllOf> empty. Must contain at least one <Match>"); "<AllOf> empty. Must contain at least one <Match>");
// Store the list of Matches as evaluatable Match types to avoid casting from JAXB MatchType // Store the list of Matches as evaluatable Match types to avoid casting
// from JAXB MatchType
// during evaluation // during evaluation
private final transient List<MatchEvaluator> evaluatableMatchList; private final transient List<MatchEvaluator> evaluatableMatchList;
/** /**
* Instantiates AllOf (evaluator) from XACML-Schema-derived <code>AllOf</code>. * Instantiates AllOf (evaluator) from XACML-Schema-derived
* <code>AllOf</code>.
* *
* @param jaxbMatches * @param jaxbMatches
* XACML-schema-derived JAXB Match elements * XACML-schema-derived JAXB Match elements
* @param xPathCompiler * @param xPathCompiler
* XPath compiler corresponding to enclosing policy(set) default XPath version * XPath compiler corresponding to enclosing policy(set) default
* XPath version
* @param expFactory * @param expFactory
* Expression factory * Expression factory
* @throws java.lang.IllegalArgumentException * @throws java.lang.IllegalArgumentException
* one of the child Match elements is invalid * null {@code expFactory} or null/empty {@code jaxbMatches} or
* one of the child Match elements in {@code jaxbMatches} is
* invalid
*/ */
public AllOfEvaluator(List<Match> jaxbMatches, XPathCompiler xPathCompiler, ExpressionFactory expFactory) public AllOfEvaluator(final List<Match> jaxbMatches, final XPathCompiler xPathCompiler,
throws IllegalArgumentException final ExpressionFactory expFactory) throws IllegalArgumentException
{ {
if (jaxbMatches == null || jaxbMatches.isEmpty()) if (jaxbMatches == null || jaxbMatches.isEmpty())
{ {
...@@ -75,7 +80,7 @@ public final class AllOfEvaluator ...@@ -75,7 +80,7 @@ public final class AllOfEvaluator
{ {
matchEvaluator = new MatchEvaluator(jaxbMatch, xPathCompiler, expFactory); matchEvaluator = new MatchEvaluator(jaxbMatch, xPathCompiler, expFactory);
} }
catch (IllegalArgumentException e) catch (final IllegalArgumentException e)
{ {
throw new IllegalArgumentException("Invalid <AllOf>'s <Match>#" + matchIndex, e); throw new IllegalArgumentException("Invalid <AllOf>'s <Match>#" + matchIndex, e);
} }
...@@ -86,8 +91,9 @@ public final class AllOfEvaluator ...@@ -86,8 +91,9 @@ public final class AllOfEvaluator
} }
/** /**
* Determines whether this <code>AllOf</code> matches the input request (whether it is applicable).Here is the table * Determines whether this <code>AllOf</code> matches the input request
* shown in the specification: <code> * (whether it is applicable).Here is the table shown in the specification:
* <code>
* <Match> values <AllOf> value * <Match> values <AllOf> value
* All True “Match�? * All True “Match�?
* No False and at least * No False and at least
...@@ -101,7 +107,7 @@ public final class AllOfEvaluator ...@@ -101,7 +107,7 @@ public final class AllOfEvaluator
* @throws org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException * @throws org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException
* Indeterminate * Indeterminate
*/ */
public boolean match(EvaluationContext context) throws IndeterminateEvaluationException public boolean match(final EvaluationContext context) throws IndeterminateEvaluationException
{ {
// atLeastOneIndeterminate = true iff lastIndeterminate != null // atLeastOneIndeterminate = true iff lastIndeterminate != null
IndeterminateEvaluationException lastIndeterminate = null; IndeterminateEvaluationException lastIndeterminate = null;
...@@ -123,15 +129,17 @@ public final class AllOfEvaluator ...@@ -123,15 +129,17 @@ public final class AllOfEvaluator
isMatched = matchEvaluator.match(context); isMatched = matchEvaluator.match(context);
if (LOGGER.isDebugEnabled()) if (LOGGER.isDebugEnabled())
{ {
// Beware of autoboxing which causes call to Boolean.valueOf(...), Integer.valueOf(...) // Beware of autoboxing which causes call to
// Boolean.valueOf(...), Integer.valueOf(...)
LOGGER.debug("AllOf/Match#{} -> {}", childIndex, isMatched); LOGGER.debug("AllOf/Match#{} -> {}", childIndex, isMatched);
} }
} }
catch (IndeterminateEvaluationException e) catch (final IndeterminateEvaluationException e)
{ {
if (LOGGER.isDebugEnabled()) if (LOGGER.isDebugEnabled())
{ {
// Beware of autoboxing which causes call to Integer.valueOf(...) // Beware of autoboxing which causes call to
// Integer.valueOf(...)
LOGGER.debug("AllOf/Match#{} -> Indeterminate", childIndex, e); LOGGER.debug("AllOf/Match#{} -> Indeterminate", childIndex, e);
} }
lastIndeterminate = e; lastIndeterminate = e;
......
...@@ -45,24 +45,29 @@ public final class AnyOfEvaluator ...@@ -45,24 +45,29 @@ public final class AnyOfEvaluator
private static final IllegalArgumentException NO_ALL_OF_EXCEPTION = new IllegalArgumentException( private static final IllegalArgumentException NO_ALL_OF_EXCEPTION = new IllegalArgumentException(
"<AnyOf> empty. Must contain at least one <AllOf>"); "<AnyOf> empty. Must contain at least one <AllOf>");
// Store the list of AllOf as evaluatable AllOf types to avoid casting from JAXB AllOfType // Store the list of AllOf as evaluatable AllOf types to avoid casting from
// JAXB AllOfType
// during evaluation // during evaluation
private final transient List<AllOfEvaluator> evaluatableAllOfList; private final transient List<AllOfEvaluator> evaluatableAllOfList;
/** /**
* Constructor that creates a new <code>AnyOf</code> evaluator based on the given XACML-schema-derived JAXB AnyOf. * Constructor that creates a new <code>AnyOf</code> evaluator based on the
* given XACML-schema-derived JAXB AnyOf.
* *
* @param jaxbAllOfList * @param jaxbAllOfList
* JAXB AllOf elements * JAXB AllOf elements
* @param xPathCompiler * @param xPathCompiler
* XPath compiler corresponding to enclosing policy(set) default XPath version * XPath compiler corresponding to enclosing policy(set) default
* XPath version
* @param expFactory * @param expFactory
* Expression factory * Expression factory
* @throws java.lang.IllegalArgumentException * @throws java.lang.IllegalArgumentException
* if one of the child AllOf elements is invalid * null {@code expFactory} or null/empty {@code jaxbAllOfList}
* or one of the child Match elements in one of the AllOf
* elements of {@code jaxbAllOfList} is invalid
*/ */
public AnyOfEvaluator(List<AllOf> jaxbAllOfList, XPathCompiler xPathCompiler, ExpressionFactory expFactory) public AnyOfEvaluator(final List<AllOf> jaxbAllOfList, final XPathCompiler xPathCompiler,
throws IllegalArgumentException final ExpressionFactory expFactory) throws IllegalArgumentException
{ {
if (jaxbAllOfList == null || jaxbAllOfList.isEmpty()) if (jaxbAllOfList == null || jaxbAllOfList.isEmpty())
{ {
...@@ -78,7 +83,7 @@ public final class AnyOfEvaluator ...@@ -78,7 +83,7 @@ public final class AnyOfEvaluator
{ {
allOfEvaluator = new AllOfEvaluator(jaxbAllOf.getMatches(), xPathCompiler, expFactory); allOfEvaluator = new AllOfEvaluator(jaxbAllOf.getMatches(), xPathCompiler, expFactory);
} }
catch (IllegalArgumentException e) catch (final IllegalArgumentException e)
{ {
throw new IllegalArgumentException("Invalid <AnyOf>'s <AllOf>#" + matchIndex, e); throw new IllegalArgumentException("Invalid <AnyOf>'s <AllOf>#" + matchIndex, e);
} }
...@@ -89,8 +94,9 @@ public final class AnyOfEvaluator ...@@ -89,8 +94,9 @@ public final class AnyOfEvaluator
} }
/** /**
* Determines whether this <code>AnyOf</code> matches the input request (whether it is applicable). If all the AllOf * Determines whether this <code>AnyOf</code> matches the input request
* values is No_Match so it's a No_Match. If all matches it's a Match. If None matches and at least one * (whether it is applicable). If all the AllOf values is No_Match so it's a
* No_Match. If all matches it's a Match. If None matches and at least one
* “Indeterminate�? it's Indeterminate * “Indeterminate�? it's Indeterminate
* *
* <pre> * <pre>
...@@ -107,7 +113,7 @@ public final class AnyOfEvaluator ...@@ -107,7 +113,7 @@ public final class AnyOfEvaluator
* @throws org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException * @throws org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException
* if Indeterminate * if Indeterminate
*/ */
public boolean match(EvaluationContext context) throws IndeterminateEvaluationException public boolean match(final EvaluationContext context) throws IndeterminateEvaluationException
{ {
// atLeastOneIndeterminate = true iff lastIndeterminate != null // atLeastOneIndeterminate = true iff lastIndeterminate != null
IndeterminateEvaluationException lastIndeterminate = null; IndeterminateEvaluationException lastIndeterminate = null;
...@@ -129,15 +135,17 @@ public final class AnyOfEvaluator ...@@ -129,15 +135,17 @@ public final class AnyOfEvaluator
isMatched = allOfEvaluator.match(context); isMatched = allOfEvaluator.match(context);
if (LOGGER.isDebugEnabled()) if (LOGGER.isDebugEnabled())
{ {
// Beware of autoboxing which causes call to Boolean.valueOf(...), Integer.valueOf(...) // Beware of autoboxing which causes call to
// Boolean.valueOf(...), Integer.valueOf(...)
LOGGER.debug("AnyOf/AllOf#{} -> {}", childIndex, isMatched); LOGGER.debug("AnyOf/AllOf#{} -> {}", childIndex, isMatched);
} }
} }
catch (IndeterminateEvaluationException e) catch (final IndeterminateEvaluationException e)
{ {
if (LOGGER.isDebugEnabled()) if (LOGGER.isDebugEnabled())
{ {
// Beware of autoboxing which causes call to Integer.valueOf(...) // Beware of autoboxing which causes call to
// Integer.valueOf(...)
LOGGER.debug("AnyOf/AllOf#{} -> Indeterminate", childIndex, e); LOGGER.debug("AnyOf/AllOf#{} -> Indeterminate", childIndex, e);
} }
lastIndeterminate = e; lastIndeterminate = e;
...@@ -165,7 +173,8 @@ public final class AnyOfEvaluator ...@@ -165,7 +173,8 @@ public final class AnyOfEvaluator
return false; return false;
} }
// No Match and at least one Indeterminate (lastIndeterminate != null) -> Indeterminate // No Match and at least one Indeterminate (lastIndeterminate != null)
// -> Indeterminate
throw new IndeterminateEvaluationException("Error evaluating <AnyOf>'s <AllOf>#" + lastIndeterminateChildIndex, throw new IndeterminateEvaluationException("Error evaluating <AnyOf>'s <AllOf>#" + lastIndeterminateChildIndex,
lastIndeterminate.getStatusCode(), lastIndeterminate); lastIndeterminate.getStatusCode(), lastIndeterminate);
} }
......
...@@ -44,7 +44,8 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.Match; ...@@ -44,7 +44,8 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.Match;
* *
* @version $Id: $ * @version $Id: $
*/ */
public final class MatchEvaluator { public final class MatchEvaluator
{
private static final IllegalArgumentException NULL_XACML_MATCH_ARGUMENT_EXCEPTION = new IllegalArgumentException( private static final IllegalArgumentException NULL_XACML_MATCH_ARGUMENT_EXCEPTION = new IllegalArgumentException(
"Undefined input XACML Match element"); "Undefined input XACML Match element");
...@@ -70,15 +71,18 @@ public final class MatchEvaluator { ...@@ -70,15 +71,18 @@ public final class MatchEvaluator {
* XPath compiler corresponding to enclosing policy(set) default * XPath compiler corresponding to enclosing policy(set) default
* XPath version * XPath version
* @throws java.lang.IllegalArgumentException * @throws java.lang.IllegalArgumentException
* invalid <code>jaxbMatch</code> * null {@code expFactory} or null/empty {@code jaxbMatch}
*/ */
public MatchEvaluator(final Match jaxbMatch, final XPathCompiler xPathCompiler, final ExpressionFactory expFactory) public MatchEvaluator(final Match jaxbMatch, final XPathCompiler xPathCompiler, final ExpressionFactory expFactory)
throws IllegalArgumentException { throws IllegalArgumentException
if (jaxbMatch == null) { {
if (jaxbMatch == null)
{
throw NULL_XACML_MATCH_ARGUMENT_EXCEPTION; throw NULL_XACML_MATCH_ARGUMENT_EXCEPTION;
} }
if (expFactory == null) { if (expFactory == null)
{
throw NULL_XACML_EXPRESSION_FACTORY_ARGUMENT_EXCEPTION; throw NULL_XACML_EXPRESSION_FACTORY_ARGUMENT_EXCEPTION;
} }
...@@ -86,7 +90,8 @@ public final class MatchEvaluator { ...@@ -86,7 +90,8 @@ public final class MatchEvaluator {
// Target matchFunction // Target matchFunction
final String matchId = jaxbMatch.getMatchId(); final String matchId = jaxbMatch.getMatchId();
final Function<?> matchFunction = expFactory.getFunction(matchId); final Function<?> matchFunction = expFactory.getFunction(matchId);
if (matchFunction == null) { if (matchFunction == null)
{
throw new IllegalArgumentException("Unsupported function for MatchId: " + matchId); throw new IllegalArgumentException("Unsupported function for MatchId: " + matchId);
} }
...@@ -99,9 +104,12 @@ public final class MatchEvaluator { ...@@ -99,9 +104,12 @@ public final class MatchEvaluator {
final AttributeValueType attributeValue = jaxbMatch.getAttributeValue(); final AttributeValueType attributeValue = jaxbMatch.getAttributeValue();
final Expression<? extends AttributeValue> attrValueExpr; final Expression<? extends AttributeValue> attrValueExpr;
try { try
{
attrValueExpr = expFactory.getInstance(attributeValue, xPathCompiler); attrValueExpr = expFactory.getInstance(attributeValue, xPathCompiler);
} catch (final IllegalArgumentException e) { }
catch (final IllegalArgumentException e)
{
throw new IllegalArgumentException("Invalid <Match>'s <AttributeValue>", e); throw new IllegalArgumentException("Invalid <Match>'s <AttributeValue>", e);
} }
...@@ -110,16 +118,20 @@ public final class MatchEvaluator { ...@@ -110,16 +118,20 @@ public final class MatchEvaluator {
// attributeValue, bagExpression) // attributeValue, bagExpression)
final Function<BooleanValue> anyOfFunc = (Function<BooleanValue>) expFactory final Function<BooleanValue> anyOfFunc = (Function<BooleanValue>) expFactory
.getFunction(StandardFunction.ANY_OF.getId()); .getFunction(StandardFunction.ANY_OF.getId());
if (anyOfFunc == null) { if (anyOfFunc == null)
{
throw new IllegalArgumentException( throw new IllegalArgumentException(
"Unsupported function '" + StandardFunction.ANY_OF.getId() + "' required for Match evaluation"); "Unsupported function '" + StandardFunction.ANY_OF.getId() + "' required for Match evaluation");
} }
final List<Expression<?>> anyOfFuncInputs = Arrays.<Expression<?>> asList(matchFunction, attrValueExpr, final List<Expression<?>> anyOfFuncInputs = Arrays.<Expression<?>> asList(matchFunction, attrValueExpr,
bagExpression); bagExpression);
try { try
{
this.anyOfFuncCall = anyOfFunc.newCall(anyOfFuncInputs); this.anyOfFuncCall = anyOfFunc.newCall(anyOfFuncInputs);
} catch (final IllegalArgumentException e) { }
catch (final IllegalArgumentException e)
{
throw new IllegalArgumentException( throw new IllegalArgumentException(
"Invalid inputs (Expressions) to the Match (validated using the equivalent standard 'any-of' function definition): " "Invalid inputs (Expressions) to the Match (validated using the equivalent standard 'any-of' function definition): "
+ anyOfFuncInputs, + anyOfFuncInputs,
...@@ -138,11 +150,15 @@ public final class MatchEvaluator { ...@@ -138,11 +150,15 @@ public final class MatchEvaluator {
* error occurred evaluating the Match element in this * error occurred evaluating the Match element in this
* evaluation {@code context} * evaluation {@code context}
*/ */
public boolean match(final EvaluationContext context) throws IndeterminateEvaluationException { public boolean match(final EvaluationContext context) throws IndeterminateEvaluationException
{
final BooleanValue anyOfFuncCallResult; final BooleanValue anyOfFuncCallResult;
try { try
{
anyOfFuncCallResult = anyOfFuncCall.evaluate(context); anyOfFuncCallResult = anyOfFuncCall.evaluate(context);
} catch (final IndeterminateEvaluationException e) { }
catch (final IndeterminateEvaluationException e)
{
throw new IndeterminateEvaluationException("Error evaluating Match (with equivalent 'any-of' function)", throw new IndeterminateEvaluationException("Error evaluating Match (with equivalent 'any-of' function)",
e.getStatusCode(), e); e.getStatusCode(), e);
} }
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
* AuthZForce CE is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* AuthZForce CE is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with AuthZForce CE. If not, see <http://www.gnu.org/licenses/>.
*/
package org.ow2.authzforce.core.pdp.impl;
import java.util.ArrayList;
import java.util.List;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AnyOf;
/**
* Represents the TargetType XML type in XACML.
*
* @version $Id: $
*/
public final class TargetEvaluator implements BooleanEvaluator
{
private static final IllegalArgumentException NULL_OR_EMPTY_XACML_ANYOF_LIST_ARGUMENT_EXCEPTION = new IllegalArgumentException(
"Cannot create Target evaluator: no input XACML/JAXB AnyOf element");
/**
* Logger used for all classes
*/
private static final Logger LOGGER = LoggerFactory.getLogger(TargetEvaluator.class);
// Have a copy of AnyOf evaluators to avoid cast from JAXB AnyOf in super JAXB type
// non-null
private final List<AnyOfEvaluator> anyOfEvaluatorList;
/**
* Instantiates Target (evaluator) from XACML-Schema-derived <code>Target</code>.
*
* @param jaxbAnyOfList
* XACML-schema-derived JAXB AnyOf elements
* @param xPathCompiler
* XPath compiler corresponding to enclosing policy(set) default XPath version
* @param expFactory
* Expression factory
* @throws java.lang.IllegalArgumentException
* if one of the child AnyOf elements is invalid
*/
public TargetEvaluator(List<AnyOf> jaxbAnyOfList, XPathCompiler xPathCompiler, ExpressionFactory expFactory)
throws IllegalArgumentException
{
if (jaxbAnyOfList == null || jaxbAnyOfList.isEmpty())
{
throw NULL_OR_EMPTY_XACML_ANYOF_LIST_ARGUMENT_EXCEPTION;
}
anyOfEvaluatorList = new ArrayList<>(jaxbAnyOfList.size());
int childIndex = 0;
for (final AnyOf jaxbAnyOf : jaxbAnyOfList)
{
final AnyOfEvaluator anyOfEvaluator;
try
{
anyOfEvaluator = new AnyOfEvaluator(jaxbAnyOf.getAllOves(), xPathCompiler, expFactory);
}
catch (IllegalArgumentException e)
{
throw new IllegalArgumentException("Invalid <Target>'s <AnyOf>#" + childIndex, e);
}
anyOfEvaluatorList.add(anyOfEvaluator);
childIndex++;
}
}
/**
* Determines whether this <code>Target</code> matches the input request (whether it is applicable). If any of the
* AnyOf doesn't match the request context so it's a NO_MATCH result. Here is the table shown in the specification:
* <code>
* <AnyOf> values <Target> value
* All Match? Match?
* At Least one "No Match" No Match?
* Otherwise Indeterminate?
* </code> Also if Target empty (no AnyOf), return "Match"
*
* @param context
* the representation of the request
* @return true if and only if Match (else No-match)
* @throws org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException
* if Indeterminate (error evaluating target)
*/
@Override
public boolean evaluate(EvaluationContext context) throws IndeterminateEvaluationException
{
// logic is quite similar to AllOf evaluation
// at the end, lastIndeterminate == null iff no Indeterminate occurred
IndeterminateEvaluationException lastIndeterminate = null;
// index of the current AnyOf in this Target
int childIndex = 0;
// index of last Indeterminate for enhanced error message
int lastIndeterminateChildIndex = -1;
/*
* By construction, there must be at least one Match
*/
for (final AnyOfEvaluator anyOfEvaluator : anyOfEvaluatorList)
{
final boolean isMatched;
try
{
isMatched = anyOfEvaluator.match(context);
if (LOGGER.isDebugEnabled())
{
// Beware of autoboxing which causes call to Boolean.valueOf(...), Integer.valueOf(...)
LOGGER.debug("Target/AnyOf#{} -> {}", childIndex, isMatched);
}
}
catch (IndeterminateEvaluationException e)
{
if (LOGGER.isDebugEnabled())
{
// Beware of autoboxing which causes call to Integer.valueOf(...)
LOGGER.debug("Target/AnyOf#{} -> Indeterminate", childIndex, e);
}
lastIndeterminate = e;
lastIndeterminateChildIndex = childIndex;
continue;
}
/*
* At least one False ("No match") -> No match
*/
if (!isMatched)
{
return false;
}
// True (Match) -> continue, all must be true to match
childIndex += 1;
}
// No False (=NO_MATCH) occurred
// lastIndeterminate == null iff no Indeterminate occurred
if (lastIndeterminate == null)
{
// No False/Indeterminate, i.e. all True -> Match
return true;
}
// No False but at least one Indeterminate (lastIndeterminate != null)
throw new IndeterminateEvaluationException("Error evaluating <Target>/<AnyOf>#" + lastIndeterminateChildIndex,
lastIndeterminate.getStatusCode(), lastIndeterminate);
}
}
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -32,7 +32,7 @@ import org.ow2.authzforce.core.pdp.impl.BooleanEvaluator; ...@@ -32,7 +32,7 @@ import org.ow2.authzforce.core.pdp.impl.BooleanEvaluator;
import org.ow2.authzforce.core.pdp.impl.PepActionExpression; import org.ow2.authzforce.core.pdp.impl.PepActionExpression;
import org.ow2.authzforce.core.pdp.impl.PepActionExpressions; import org.ow2.authzforce.core.pdp.impl.PepActionExpressions;
import org.ow2.authzforce.core.pdp.impl.PepActionFactories; import org.ow2.authzforce.core.pdp.impl.PepActionFactories;
import org.ow2.authzforce.core.pdp.impl.TargetEvaluator; import org.ow2.authzforce.core.pdp.impl.TargetEvaluators;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
...@@ -40,7 +40,6 @@ import net.sf.saxon.s9api.XPathCompiler; ...@@ -40,7 +40,6 @@ import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Advice; import oasis.names.tc.xacml._3_0.core.schema.wd_17.Advice;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AdviceExpression; import oasis.names.tc.xacml._3_0.core.schema.wd_17.AdviceExpression;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AdviceExpressions; import oasis.names.tc.xacml._3_0.core.schema.wd_17.AdviceExpressions;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AnyOf;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Condition; import oasis.names.tc.xacml._3_0.core.schema.wd_17.Condition;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType; import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.EffectType; import oasis.names.tc.xacml._3_0.core.schema.wd_17.EffectType;
...@@ -63,7 +62,8 @@ public final class RuleEvaluator implements Decidable ...@@ -63,7 +62,8 @@ public final class RuleEvaluator implements Decidable
private static final Logger LOGGER = LoggerFactory.getLogger(RuleEvaluator.class); private static final Logger LOGGER = LoggerFactory.getLogger(RuleEvaluator.class);
/** /**
* Rule-associated PEP action (obligation/advice) expressions parser used to initialize the evaluator's fields * Rule-associated PEP action (obligation/advice) expressions parser used to
* initialize the evaluator's fields
* *
*/ */
private static final class RulePepActionExpressions implements PepActionExpressions private static final class RulePepActionExpressions implements PepActionExpressions
...@@ -76,14 +76,15 @@ public final class RuleEvaluator implements Decidable ...@@ -76,14 +76,15 @@ public final class RuleEvaluator implements Decidable
* Creates instance * Creates instance
* *
* @param xPathCompiler * @param xPathCompiler
* XPath compiler corresponding to enclosing policy(set) default XPath version * XPath compiler corresponding to enclosing policy(set)
* default XPath version
* @param expressionFactory * @param expressionFactory
* expression factory for parsing expressions * expression factory for parsing expressions
* @param ruleEffect * @param ruleEffect
* XACML rule's Effect * XACML rule's Effect
*/ */
private RulePepActionExpressions(XPathCompiler xPathCompiler, ExpressionFactory expressionFactory, private RulePepActionExpressions(final XPathCompiler xPathCompiler, final ExpressionFactory expressionFactory,
EffectType ruleEffect) final EffectType ruleEffect)
{ {
assert ruleEffect != null; assert ruleEffect != null;
...@@ -93,7 +94,7 @@ public final class RuleEvaluator implements Decidable ...@@ -93,7 +94,7 @@ public final class RuleEvaluator implements Decidable
} }
@Override @Override
public void add(ObligationExpression jaxbObligationExp) throws IllegalArgumentException public void add(final ObligationExpression jaxbObligationExp) throws IllegalArgumentException
{ {
assert jaxbObligationExp != null; assert jaxbObligationExp != null;
...@@ -112,7 +113,7 @@ public final class RuleEvaluator implements Decidable ...@@ -112,7 +113,7 @@ public final class RuleEvaluator implements Decidable
} }
@Override @Override
public void add(AdviceExpression jaxbAdviceExp) throws IllegalArgumentException public void add(final AdviceExpression jaxbAdviceExp) throws IllegalArgumentException
{ {
assert jaxbAdviceExp != null; assert jaxbAdviceExp != null;
...@@ -147,7 +148,7 @@ public final class RuleEvaluator implements Decidable ...@@ -147,7 +148,7 @@ public final class RuleEvaluator implements Decidable
{ {
private final EffectType ruleEffect; private final EffectType ruleEffect;
private RulePepActionExpressionsFactory(EffectType ruleEffect) private RulePepActionExpressionsFactory(final EffectType ruleEffect)
{ {
assert ruleEffect != null; assert ruleEffect != null;
...@@ -155,7 +156,8 @@ public final class RuleEvaluator implements Decidable ...@@ -155,7 +156,8 @@ public final class RuleEvaluator implements Decidable