Commit 38754810 authored by cdanger's avatar cdanger

Merge branch 'master' into develop

parents cc1d52d0 aba077c0
......@@ -6,11 +6,24 @@ Issues reported on [GitHub](https://github.com/authzforce/core/issues) are refer
## Unreleased
### Changed
- Version of parent project: 6.0.0
- Version of dependency authzforce-ce-core-pdp-api: 10.0.0 (API changes)
- Version of parent project: 6.0.0:
- The XML schema definition of PDP Decision Cache extensions' base type have been simplified (a few attributes removed).
- Version of dependency authzforce-ce-core-pdp-api: 11.0.0 (API changes):
- Changed PDPEngine interface methods
- Changed PDP extensions' interface methods: DecisionResultFilter, RequestFilter, DecisionCache (new EvaluationContext parameter to enable context-dependent caches), RefPolicyProvider (renamed RefPolicyProvider.Utils class to RefPolicyProvider.Helper).
- Changed EvaluationContext interface methods:
- Use of Bag replaced with AttributeBag class (AttributeBags are Bags with extra metadata such as the source - AttributeSource - of the attribute values: request, PDP, attribute provider extension, etc.
- New methods to help PDP extensions to watch for changes to the context with listeners
- Changed Expression interface methods
- Changed VersionPatterns class methods to return new PolicyVersionPattern class that helps manipulate XACML VersionMatchTypes
- Renamed class IndividualDecisionRequest to IndividualXACMLRequest (XACML-specific model of Individual Decision Request)
- Renamed class IndividualPdpDecisionRequest to PdpDecisionRequest (individual request in XACML-agnostic AuthzForce model)
- Renamed class AttributeGUID(s) to AttributeFQN(s) (Fully Qualified Name is more appropriate than GUID)
- Renamed class MutableBag to MutableAttributeBag
- Aded BaseStaticRefPolicyProviderModule class as convenient base class for implementing static Policy Provider (StaticRefPolicyProviderModule) implementations
### Added
- [PolicyProvider implementation](src/main/java/org/ow2/authzforce/core/pdp/testutil/ext/MongoDBRefPolicyProviderModule.java) for testing and documentation purposes, using MongoDB as policy database system and Jongo as client library, with [JUnit test class](src/test/java/org/ow2/authzforce/core/pdp/testutil/test/MongoDBRefPolicyProviderModuleTest.java) showing how to use it.
- [PolicyProvider implementation](pdp-testutils/src/main/java/org/ow2/authzforce/core/pdp/testutil/ext/MongoDBRefPolicyProviderModule.java) for testing and documentation purposes, using MongoDB as policy database system and Jongo as client library, with [JUnit test class](pdp-testutils/src/test/java/org/ow2/authzforce/core/pdp/testutil/test/MongoDBRefPolicyProviderModuleTest.java) showing how to use it.
## 8.0.0
......@@ -201,14 +214,14 @@ Issues reported on [GitHub](https://github.com/authzforce/core/issues) are refer
## 3.6.0
### Added
- Support all [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, except IIA010, IIA012, IIA024, IID029, IID030, III.C.2, III.C.3, IIIE301, IIIE303, II.G.2-6 (see also [README](src\test\resources\conformance\xacml-3.0-from-2.0-ct\README.md) ); with specific adaptations and enhancements:
- Support all [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, except IIA010, IIA012, IIA024, IID029, IID030, III.C.2, III.C.3, IIIE301, IIIE303, II.G.2-6 (see also [README](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/README.md) ); with specific adaptations and enhancements:
1. XACML 3.0 Schema validation in all conformance tests (original files are not all compliant with XACML 3.0).
1. The original conformance test folder contains hundreds of files; for better readability and management, the folder is split in *mandatory* folder for tests on supported mandatory features (XACMl 3.0 core), *optional* folder for supported optional features (XACML 3.0 core and profiles), and *unsupported* for unsupported features.
1. For tests requiring a custom attribute finder, added a file with suffix `AttributeProvider.xml` that configures the `TestAttributeProviderModule`. This configuration file must contain a list of `Attributes` elements defining the attributes that this attribute provider is able to provide, with their constant values.
1. For tests requiring policies to be referenced via Policy(Set)IdReferences, added a directory named `refPolicies` containing a XACML Policy(Set) file per referenced Policy(Set).
1. For tests of Request syntax validation (syntax error expected to be detected by Authzforce PDP at initialization-time, i.e. before any Request evaluation), added suffix `.ignore` to the original test Policy(Set) and Response files.
1. For tests of Policy(Set) syntax validation (syntax error expected to be detected by Authzforce PDP at initialization-time, i.e. before any Request evaluation), added suffix `.ignore` to the original test Request and Response files.
- [HTML description](\src\test\resources\conformance\xacml-3.0-from-2.0-ct\ConformanceTests.html) of XACML 3.0 conformance tests
- [HTML description](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/ConformanceTests.html) of XACML 3.0 conformance tests
- Support of Policy(Set)Version in Policy(Set)IdReference handled by the native policy finder
- Support for Variable evaluation in Policy with scope management (variable is local to Policy where defined and inherited by Rules)
- Added support of xpathExpressions (optional XACML feature) in Request with support of namespace-prefix mappings extracted from XML document (XACML Request/Policy(Set)/Rule) (typically via `xmlns` declarations) where the xpathExpression is defined, e.g. XACML Request or Policy(Set).
......@@ -231,7 +244,7 @@ Issues reported on [GitHub](https://github.com/authzforce/core/issues) are refer
### Fixed
- Issues reported by PMD and findbugs
- Fixed issues in [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, see [README](src\test\resources\conformance\xacml-3.0-from-2.0-ct\README.md).
- Fixed issues in [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, see [README](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct\README.md).
- In logical OR, AND and N-OF functions, an Indeterminate argument results in Indeterminate result.
1. FIX for OR function: If at least one True argument, return True regardless of Indeterminate arguments; else (no True) if there is at least one Indeterminate, return Indeterminate, return Indeterminate; else (no True/Indeterminate -> all false) return false
1. FIX for AND function: If at least one False argument, return False regardless of Indeterminate arguments; else (no False) if there is at least one Indeterminate, return Indeterminate, return Indeterminate; else (no False/Indeterminate -> all true) return true
......
......@@ -42,7 +42,7 @@
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core-pdp-api</artifactId>
<version>10.0.0</version>
<version>11.0.0</version>
</dependency>
<!-- /Authzforce dependencies -->
......
......@@ -49,10 +49,10 @@ import org.ow2.authzforce.core.pdp.api.JaxbXACMLUtils.XACMLParserFactory;
import org.ow2.authzforce.core.pdp.api.XMLUtils.NamespaceFilteringParser;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgRegistry;
import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.policy.BaseStaticRefPolicyProviderModule;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersion;
import org.ow2.authzforce.core.pdp.api.policy.RefPolicyProviderModule;
import org.ow2.authzforce.core.pdp.api.policy.StaticRefPolicyProvider;
import org.ow2.authzforce.core.pdp.api.policy.StaticRefPolicyProviderModule;
import org.ow2.authzforce.core.pdp.api.policy.StaticTopLevelPolicyElementEvaluator;
import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementEvaluator;
import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType;
......@@ -78,7 +78,7 @@ import com.google.common.collect.Table;
*
* @version $Id: $
*/
public class CoreRefPolicyProviderModule implements StaticRefPolicyProviderModule
public class CoreRefPolicyProviderModule extends BaseStaticRefPolicyProviderModule
{
private static final IllegalArgumentException ILLEGAL_COMBINING_ALG_REGISTRY_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined CombiningAlgorithm registry");
private static final IllegalArgumentException ILLEGAL_EXPRESSION_FACTORY_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined Expression factory");
......@@ -284,10 +284,9 @@ public class CoreRefPolicyProviderModule implements StaticRefPolicyProviderModul
}
@Override
public TopLevelPolicyElementEvaluator get(final TopLevelPolicyElementType policyType, final String id, final Optional<VersionPatterns> versionConstraints,
final Deque<String> ancestorPolicyRefChain, final EvaluationContext evaluationContext) throws IndeterminateEvaluationException, IllegalArgumentException
public Deque<String> checkJoinedPolicyRefChain(final Deque<String> policyRefChain1, final List<String> policyRefChain2)
{
return get(policyType, id, versionConstraints, ancestorPolicyRefChain);
return Helper.checkJoinedPolicyRefChain(policyRefChain1, policyRefChain2, maxPolicySetRefDepth);
}
@Override
......@@ -301,8 +300,7 @@ public class CoreRefPolicyProviderModule implements StaticRefPolicyProviderModul
return policyEntry == null ? null : policyEntry.getValue();
}
// Else this is a request for PolicySet (from PolicySetIdReference)
final Deque<String> newPolicySetRefChain = Utils.appendAndCheckPolicyRefChain(ancestorPolicyRefChain, Collections.singletonList(id), maxPolicySetRefDepth);
// Else this is a request for PolicySet
final Entry<PolicyVersion, PolicyWithNamespaces<PolicySet>> jaxbPolicySetEntry = jaxbPolicySetMap.get(id, versionConstraints);
if (jaxbPolicySetEntry == null)
{
......@@ -323,7 +321,7 @@ public class CoreRefPolicyProviderModule implements StaticRefPolicyProviderModul
try
{
resultPolicySetEvaluator = PolicyEvaluators.getInstanceStatic(jaxbPolicySetWithNs.policy, null, jaxbPolicySetWithNs.nsPrefixUriMap, expressionFactory, combiningAlgRegistry,
this.parsedPolicyIds, this.parsedPolicySetIds, this, newPolicySetRefChain, maxPolicySetRefDepth);
this.parsedPolicyIds, this.parsedPolicySetIds, this, ancestorPolicyRefChain);
}
catch (final IllegalArgumentException e)
{
......@@ -339,23 +337,29 @@ public class CoreRefPolicyProviderModule implements StaticRefPolicyProviderModul
/*
* check total policy ref depth, i.e. length of (newAncestorPolicySetRefChain + parsed policySet's longest (nested) policy ref chain) <= maxPolicySetRefDepth
*/
Utils.appendAndCheckPolicyRefChain(newPolicySetRefChain, policySetEvaluator.getExtraPolicyMetadata().getLongestPolicyRefChain(), maxPolicySetRefDepth);
checkJoinedPolicyRefChain(ancestorPolicyRefChain, policySetEvaluator.getExtraPolicyMetadata().getLongestPolicyRefChain());
}
return resultPolicySetEvaluator;
}
@Override
public TopLevelPolicyElementEvaluator get(final TopLevelPolicyElementType policyType, final String id, final Optional<VersionPatterns> versionConstraints,
final Deque<String> ancestorPolicyRefChain, final EvaluationContext evaluationContext) throws IndeterminateEvaluationException, IllegalArgumentException
{
return get(policyType, id, versionConstraints, ancestorPolicyRefChain);
}
}
private final PolicyMap<StaticTopLevelPolicyElementEvaluator> policyEvaluatorMap;
private final PolicyMap<StaticTopLevelPolicyElementEvaluator> policySetEvaluatorMap;
private final int maxPolicySetRefDepth;
private CoreRefPolicyProviderModule(final PolicyMap<StaticTopLevelPolicyElementEvaluator> policyMap, final PolicyMap<PolicyWithNamespaces<PolicySet>> jaxbPolicySetMap,
final int maxPolicySetRefDepth, final ExpressionFactory expressionFactory, final CombiningAlgRegistry combiningAlgRegistry) throws IllegalArgumentException
{
super(maxPolicySetRefDepth);
assert policyMap != null && jaxbPolicySetMap != null && expressionFactory != null && combiningAlgRegistry != null;
this.maxPolicySetRefDepth = maxPolicySetRefDepth < 0 ? Utils.UNLIMITED_POLICY_REF_DEPTH : maxPolicySetRefDepth;
this.policyEvaluatorMap = policyMap;
final Table<String, PolicyVersion, StaticTopLevelPolicyElementEvaluator> updatablePolicySetEvaluatorTable = HashBasedTable.create();
/*
......@@ -388,7 +392,7 @@ public class CoreRefPolicyProviderModule implements StaticRefPolicyProviderModul
try
{
newPolicySetEvaluator = PolicyEvaluators.getInstanceStatic(jaxbPolicySetWithNs.policy, null, jaxbPolicySetWithNs.nsPrefixUriMap, expressionFactory, combiningAlgRegistry,
parsedPolicyIds, parsedPolicySetIds, bootstrapRefPolicyProvider, null, maxPolicySetRefDepth);
parsedPolicyIds, parsedPolicySetIds, bootstrapRefPolicyProvider, null);
}
catch (final IllegalArgumentException e)
{
......@@ -626,6 +630,12 @@ public class CoreRefPolicyProviderModule implements StaticRefPolicyProviderModul
return new CoreRefPolicyProviderModule(policyMap, policySetMap, maxPolicySetRefDepth, expressionFactory, combiningAlgRegistry);
}
@Override
public Deque<String> checkJoinedPolicyRefChain(final Deque<String> policyRefChain1, final List<String> policyRefChain2)
{
return Helper.checkJoinedPolicyRefChain(policyRefChain1, policyRefChain2, maxPolicySetRefDepth);
}
/** {@inheritDoc} */
@Override
public StaticTopLevelPolicyElementEvaluator get(final TopLevelPolicyElementType policyType, final String id, final Optional<VersionPatterns> constraints, final Deque<String> policySetRefChain)
......@@ -642,8 +652,9 @@ public class CoreRefPolicyProviderModule implements StaticRefPolicyProviderModul
return policyEntry.getValue();
}
// Request for PolicySet (from PolicySetIdReference)
final Deque<String> newPolicySetRefChain = Utils.appendAndCheckPolicyRefChain(policySetRefChain, Collections.singletonList(id), maxPolicySetRefDepth);
/*
* Request for PolicySet (not necessarily from PolicySetIdReference, but also from CoreRefBasedRootPolicyProviderModule#CoreRefBasedRootPolicyProviderModule(...) or else)
*/
final Entry<PolicyVersion, StaticTopLevelPolicyElementEvaluator> policyEntry = policySetEvaluatorMap.get(id, constraints);
if (policyEntry == null)
{
......@@ -654,7 +665,7 @@ public class CoreRefPolicyProviderModule implements StaticRefPolicyProviderModul
* check total policy ref depth, i.e. length of (newAncestorPolicySetRefChain + parsed policySet's longest (nested) policy ref chain) <= maxPolicySetRefDepth
*/
final StaticTopLevelPolicyElementEvaluator policy = policyEntry.getValue();
Utils.appendAndCheckPolicyRefChain(newPolicySetRefChain, policy.getExtraPolicyMetadata().getLongestPolicyRefChain(), maxPolicySetRefDepth);
checkJoinedPolicyRefChain(policySetRefChain, policy.getExtraPolicyMetadata().getLongestPolicyRefChain());
return policy;
}
......@@ -665,12 +676,4 @@ public class CoreRefPolicyProviderModule implements StaticRefPolicyProviderModul
// maps are immutable, nothing to clear
}
/** {@inheritDoc} */
@Override
public TopLevelPolicyElementEvaluator get(final TopLevelPolicyElementType policyType, final String policyId, final Optional<VersionPatterns> policyVersionConstraints,
final Deque<String> policySetRefChain, final EvaluationContext evaluationCtx) throws IllegalArgumentException, IndeterminateEvaluationException
{
return get(policyType, policyId, policyVersionConstraints, policySetRefChain);
}
}
......@@ -30,7 +30,6 @@
<artifactId>mongo-java-driver</artifactId>
<!-- See this issue for compatibility with Jongo: https://github.com/bguerout/jongo/issues/254 -->
<version>2.14.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.jongo</groupId>
......
......@@ -24,6 +24,7 @@ import java.io.IOException;
import java.io.StringReader;
import java.net.UnknownHostException;
import java.util.Deque;
import java.util.List;
import java.util.Map;
import java.util.Optional;
......@@ -35,19 +36,17 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicySet;
import org.jongo.Jongo;
import org.jongo.MongoCollection;
import org.ow2.authzforce.core.pdp.api.EnvironmentProperties;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.JaxbXACMLUtils.XACMLParserFactory;
import org.ow2.authzforce.core.pdp.api.StatusHelper;
import org.ow2.authzforce.core.pdp.api.XMLUtils.NamespaceFilteringParser;
import org.ow2.authzforce.core.pdp.api.combining.CombiningAlgRegistry;
import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.policy.BaseStaticRefPolicyProviderModule;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersion;
import org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPattern;
import org.ow2.authzforce.core.pdp.api.policy.RefPolicyProviderModule;
import org.ow2.authzforce.core.pdp.api.policy.StaticRefPolicyProviderModule;
import org.ow2.authzforce.core.pdp.api.policy.StaticTopLevelPolicyElementEvaluator;
import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementEvaluator;
import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType;
import org.ow2.authzforce.core.pdp.api.policy.VersionPatterns;
import org.ow2.authzforce.core.pdp.impl.policy.PolicyEvaluators;
......@@ -71,7 +70,7 @@ import com.mongodb.ServerAddress;
* TODO: performance optimization: cache results of {@link #get(TopLevelPolicyElementType, String, Optional, Deque)} to avoid repetitive requests to database server
*
*/
public class MongoDBRefPolicyProviderModule implements StaticRefPolicyProviderModule
public class MongoDBRefPolicyProviderModule extends BaseStaticRefPolicyProviderModule
{
/**
* 'type' value expected in policy documents stored in database for XACML Policies
......@@ -89,11 +88,11 @@ public class MongoDBRefPolicyProviderModule implements StaticRefPolicyProviderMo
private final XACMLParserFactory xacmlParserFactory;
private final ExpressionFactory expressionFactory;
private final CombiningAlgRegistry combiningAlgRegistry;
private final int maxPolicySetRefDepth;
private MongoDBRefPolicyProviderModule(final String id, final ServerAddress serverAddress, final String dbName, final String collectionName, final XACMLParserFactory xacmlParserFactory,
final ExpressionFactory expressionFactory, final CombiningAlgRegistry combiningAlgRegistry, final int maxPolicySetRefDepth)
{
super(maxPolicySetRefDepth);
assert id != null && !id.isEmpty() && dbName != null && !dbName.isEmpty() && collectionName != null && !collectionName.isEmpty() && xacmlParserFactory != null && expressionFactory != null
&& combiningAlgRegistry != null;
......@@ -104,7 +103,6 @@ public class MongoDBRefPolicyProviderModule implements StaticRefPolicyProviderMo
this.xacmlParserFactory = xacmlParserFactory;
this.expressionFactory = expressionFactory;
this.combiningAlgRegistry = combiningAlgRegistry;
this.maxPolicySetRefDepth = maxPolicySetRefDepth;
}
/**
......@@ -163,6 +161,12 @@ public class MongoDBRefPolicyProviderModule implements StaticRefPolicyProviderMo
}
@Override
public Deque<String> checkJoinedPolicyRefChain(final Deque<String> policyRefChain1, final List<String> policyRefChain2)
{
return Helper.checkJoinedPolicyRefChain(policyRefChain1, policyRefChain2, maxPolicySetRefDepth);
}
@Override
public void close() throws IOException
{
......@@ -342,11 +346,4 @@ public class MongoDBRefPolicyProviderModule implements StaticRefPolicyProviderMo
+ jaxbPolicyOrPolicySetObj.getClass().getCanonicalName() + ". Expected: " + Policy.class.getCanonicalName() + ", " + PolicySet.class.getCanonicalName(),
StatusHelper.STATUS_PROCESSING_ERROR);
}
@Override
public TopLevelPolicyElementEvaluator get(final TopLevelPolicyElementType policyType, final String policyId, final Optional<VersionPatterns> policyVersionPatterns,
final Deque<String> policySetRefChain, final EvaluationContext evaluationCtx) throws IllegalArgumentException, IndeterminateEvaluationException
{
return get(policyType, policyId, policyVersionPatterns, policySetRefChain);
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment