Commit 5e371980 authored by cdanger's avatar cdanger

- Upgraded parent project version: 6.0.0 -> 7.0.0

- Upgraded dependencies: core-pdp-api: 11.0.0 ->12.0.0
- Changed PDP XSD: 5.0.0 -> 6.0.0
	- Attribute badRequestStatusDetailLevel ->
clientRequestErrorVerbosityLevel
	- Attribute requestFilter/resultFilter attributes -> element
ioProcChain* (InOutProcChain: pair of request/response processors)
	- Added maxIntegerValue attribute to help the PDP engine optimize
processing of integer values (choice between Java integer
implementations, i.e. BigInteger, Long, Integer)
- Changed naming convention for class names with acronym(s) (only first
letter should be uppercase), e.g. PolicyPOJO -> PolicyPojo	
- Added module pdp-cli for PDP command-line interface, produces an
executable jar allowing to test PDP engine on the command line
- Added module pdp-io-xacml-json for PDP extensions processing
(request/result pre/postprocessors) formats defined by JSON Profile of
XACML 3.0, with OASIS XACML 3.0 conformance tests auto-converted (from
XML) to JSON; therefore also provides XSLT sheets for transforming
XACML/XML requests/responses to XACML/JSON
- Adapted BasePdpEngine to new PdpEngine interface, i.e. agnostic of
serialization format, e.g. XACML/XML specific part moved to separate
PdpEngineInoutAdapter implementation
- XACML/JAXB RequestFilters become RequestPreprocessors:
	- DefaultRequestFilter -> SingleDecisionXacmlJaxbRequestPreprocessor
	- MultiDecisionRequestFilter ->
MultiDecisionXacmlJaxbRequestPreprocessor
- PdpEngineAdapters utility class to help instantiate
XACML/JAXB-supporting PDP engines
- Added PdpEngineConfiguration utility class to simplify instantiation
of BasePdpEngine from pdp.xml
- Renamed PdpExtensionLoader -> PdpExtensions
- Renamed CoreRefBasedRootPolicyProviderModule ->
CoreRefBasedRootPolicyProvider
- Renamed CoreRefPolicyProviderModule -> CoreRefPolicyProvider
- Renamed CoreRootPolicyProviderModule -> CoreRootPolicyProvider
- Renamed MongoDBRefPolicyProviderModule -> MongoDbRefPolicyProvider
- StaticApplicablePolicyView -> FlattenedPolicyTree
- ImmutableDatatypeFactoryRegistry ->
ImmutableAttributeValueFactoryRegistry
- StandardDatatypeFactoryRegistry -> StandardAttributeValueFactories
- PDP extensions
parent fd70826b
...@@ -4,6 +4,10 @@ All notable changes to this project are documented in this file following the [K ...@@ -4,6 +4,10 @@ All notable changes to this project are documented in this file following the [K
Issues reported on [GitHub](https://github.com/authzforce/core/issues) are referenced in the form of `[GH-N]`, where N is the issue number. Issues reported on [OW2](https://jira.ow2.org/browse/AUTHZFORCE/) are mentioned in the form of `[OW2-N]`, where N is the issue number. Issues reported on [GitHub](https://github.com/authzforce/core/issues) are referenced in the form of `[GH-N]`, where N is the issue number. Issues reported on [OW2](https://jira.ow2.org/browse/AUTHZFORCE/) are mentioned in the form of `[OW2-N]`, where N is the issue number.
## Unreleased
## 9.1.0 ## 9.1.0
### Changed ### Changed
- MongoDBRefPolicyProviderModule class: removed useless method already implemented by super class BaseStaticRefPolicyProviderModule. - MongoDBRefPolicyProviderModule class: removed useless method already implemented by super class BaseStaticRefPolicyProviderModule.
......
...@@ -5,16 +5,16 @@ ...@@ -5,16 +5,16 @@
### Releasing ### Releasing
1. From the develop branch, prepare a release (example using a HTTP proxy): 1. From the develop branch, prepare a release (example using a HTTP proxy):
<pre><code> <pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=3128 jgitflow:release-start $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=80 jgitflow:release-start
</code></pre> </code></pre>
1. Update the CHANGELOG according to keepachangelog.com. 1. Update the CHANGELOG according to keepachangelog.com.
1. To perform the release (example using a HTTP proxy): 1. To perform the release (example using a HTTP proxy):
<pre><code> <pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=3128 jgitflow:release-finish $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=80 jgitflow:release-finish
</code></pre> </code></pre>
If, after deployment, the command does not succeed because of some issue with the branches. Fix the issue, then re-run the same command but with 'noDeploy' option set to true to avoid re-deployment: If, after deployment, the command does not succeed because of some issue with the branches. Fix the issue, then re-run the same command but with 'noDeploy' option set to true to avoid re-deployment:
<pre><code> <pre><code>
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=3128 -DnoDeploy=true jgitflow:release-finish $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=80 -DnoDeploy=true jgitflow:release-finish
</code></pre> </code></pre>
1. Connect and log in to the OSS Nexus Repository Manager: https://oss.sonatype.org/ 1. Connect and log in to the OSS Nexus Repository Manager: https://oss.sonatype.org/
1. Go to Staging Profiles and select the pending repository authzforce-*... you just uploaded with `jgitflow:release-finish` 1. Go to Staging Profiles and select the pending repository authzforce-*... you just uploaded with `jgitflow:release-finish`
......
...@@ -2,9 +2,12 @@ ...@@ -2,9 +2,12 @@
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd"> <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress> <suppress>
<notes><![CDATA[ <notes><![CDATA[
file name: mailapi-1.5.6.jar file name: mailapi-1.5.6.jar,
false positive reported: https://github.com/jeremylong/DependencyCheck/issues/912
]]></notes> ]]></notes>
<gav regex="true">^com\.sun\.mail:mailapi:.*$</gav> <cpe>cpe:/a:mail_project:mail</cpe>
<cpe>cpe:/a:sun:javamail</cpe>
<cve>CVE-2007-6059</cve> <cve>CVE-2007-6059</cve>
<cve>CVE-2015-9097</cve>
</suppress> </suppress>
</suppressions> </suppressions>
\ No newline at end of file
/target/
/.settings/
/.classpath
/.pmd
/.pmdruleset.xml
/.project
/test-output/
<?xml version="1.0"?>
<!--
This file contains some false positive bugs detected by Findbugs. Their
false positive nature has been analyzed individually and they have been
put here to instruct Findbugs to ignore them.
-->
<FindBugsFilter>
<Match>
<!-- CRLF injection in logs is considered fixed in the logger configuration, e.g. logback.xml.
More info: https://github.com/find-sec-bugs/find-sec-bugs/issues/240
-->
<Bug pattern="CRLF_INJECTION_LOGS" />
</Match>
</FindBugsFilter>
\ No newline at end of file
Copyright ${inceptionYear}-${currentYear} ${copyrightOwner}.
This file is part of ${projectName}.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: mailapi-1.5.6.jar,
false positive reported: https://github.com/jeremylong/DependencyCheck/issues/912
]]></notes>
<cpe>cpe:/a:mail_project:mail</cpe>
<cpe>cpe:/a:sun:javamail</cpe>
<cve>CVE-2007-6059</cve>
<cve>CVE-2015-9097</cve>
</suppress>
</suppressions>
\ No newline at end of file
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core</artifactId>
<version>9.1.1-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-core-pdp-cli</artifactId>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthzForce - Core PDP Command-Line Interface</description>
<url>${project.url}</url>
<scm>
<connection>scm:git:${git.url.base}/core.git/pdp-cli</connection>
<developerConnection>scm:git:${git.url.base}/core.git/pdp-cli</developerConnection>
<tag>HEAD</tag>
<!-- Publicly browsable repository URL. For example, via Gitlab web UI. -->
<url>${git.url.base}/core/pdp-cli</url>
</scm>
<dependencies>
<dependency>
<groupId>info.picocli</groupId>
<artifactId>picocli</artifactId>
<version>2.0.3</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-engine</artifactId>
<version>9.1.1-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
<version>9.1.1-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.testng</groupId>
<artifactId>testng</artifactId>
<version>6.11</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
<version>9.1.1-SNAPSHOT</version>
<scope>test</scope>
</dependency>
</dependencies>
<pluginRepositories>
<pluginRepository>
<id>spring-milestone</id>
<name>Spring Milestone Repository</name>
<url>https://repo.spring.io/milestone</url>
<!-- <releases><enabled>true</enabled></releases> -->
<!-- <snapshots><enabled>true</enabled></snapshots> -->
</pluginRepository>
</pluginRepositories>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<executions>
<execution>
<phase>process-sources</phase>
<goals>
<goal>resources</goal>
</goals>
<configuration>
<escapeString>\</escapeString>
<overwrite>true</overwrite>
<resources>
<!-- Replace variable 'project.version' in some source files. The result goes to ${project.build.directory}. -->
<resource>
<directory>src</directory>
<filtering>true</filtering>
<includes>
<include>org.ow2.authzforce.core.product.properties</include>
</includes>
</resource>
</resources>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<!-- Consider combining with Red Hat Victims and OSS Index. More info on Victims vs. Dependency-check: https://bugzilla.redhat.com/show_bug.cgi?id=1388712 -->
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<cveValidForHours>24</cveValidForHours>
<!-- The plugin has numerous issues with version matching, which triggers false positives so we need a "suppresion" file for those. More info: https://github.com/jeremylong/DependencyCheck/issues -->
<suppressionFile>owasp-dependency-check-suppression.xml</suppressionFile>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
</configuration>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<!-- target JDK already set by parent project's maven.compiler.target property -->
<configuration>
<verbose>true</verbose>
<excludeRoots>
<excludeRoot>target/generated-sources/xjc</excludeRoot>
<excludeRoot>target/generated-test-sources/xjc</excludeRoot>
</excludeRoots>
</configuration>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>check</goal>
<goal>cpd-check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<configuration>
<onlyAnalyze>org.ow2.authzforce.*</onlyAnalyze>
<excludeFilterFile>findbugs-exclude-filter.xml</excludeFilterFile>
</configuration>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<!-- Override license-maven-plugin configuration to exclude Sunxacml files from adding GPL license headers (different license) -->
<groupId>com.mycila</groupId>
<artifactId>license-maven-plugin</artifactId>
<configuration>
<header>license/alv2-header.txt</header>
<includes>
<include>src/main/java/org/ow2/authzforce/**</include>
<!-- Include test files also -->
<include>src/test/java/org/ow2/authzforce/**</include>
</includes>
</configuration>
<executions>
<execution>
<id>format-sources-license</id>
<phase>process-sources</phase>
<goals>
<goal>format</goal>
</goals>
</execution>
<execution>
<id>format-test-sources-license</id>
<phase>process-test-sources</phase>
<goals>
<goal>format</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<!-- This execution of surefire is overwritten by a default one unless we specify a different version in pluginManagement. -->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<skipAfterFailureCount>1</skipAfterFailureCount>
<!-- redirectTestOutputToFile: set this to 'true' to redirect the unit test standard output to a file (found in reportsDirectory/testName-output.txt) -->
<redirectTestOutputToFile>false</redirectTestOutputToFile>
<systemPropertyVariables>
<javax.xml.accessExternalSchema>all</javax.xml.accessExternalSchema>
</systemPropertyVariables>
<properties>
<property>
<name>surefire.testng.verbose</name>
<!-- verbosity level from 0 to 10 (10 is the most detailed), or -1 for debug More info: http://maven.apache.org/surefire/maven-surefire-plugin/examples/testng.html -->
<value>2</value>
</property>
</properties>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>2.0.0.M6</version>
<configuration>
<executable>true</executable>
<layout>ZIP</layout>
<embeddedLaunchScriptProperties>
<inlinedConfScript>${basedir}/src/setenv.sh</inlinedConfScript>
</embeddedLaunchScriptProperties>
</configuration>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
\ No newline at end of file
/**
* Copyright 2012-2017 Thales Services SAS.
*
* This file is part of AuthzForce CE.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
*
*/
package org.ow2.authzforce.core.pdp.cli;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.util.concurrent.Callable;
import javax.xml.bind.Marshaller;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import org.json.JSONObject;
import org.json.JSONTokener;
import org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor;
import org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor;
import org.ow2.authzforce.core.pdp.api.XmlUtils;
import org.ow2.authzforce.core.pdp.api.XmlUtils.XmlnsFilteringParser;
import org.ow2.authzforce.core.pdp.api.io.PdpEngineInoutAdapter;
import org.ow2.authzforce.core.pdp.api.io.XacmlJaxbParsingUtils;
import org.ow2.authzforce.core.pdp.impl.PdpEngineConfiguration;
import org.ow2.authzforce.core.pdp.impl.io.PdpEngineAdapters;
import org.ow2.authzforce.core.pdp.io.xacml.json.BaseXacmlJsonResultPostprocessor;
import org.ow2.authzforce.core.pdp.io.xacml.json.IndividualXacmlJsonRequest;
import org.ow2.authzforce.core.pdp.io.xacml.json.SingleDecisionXacmlJsonRequestPreprocessor;
import org.ow2.authzforce.xacml.Xacml3JaxbHelper;
import org.ow2.authzforce.xacml.json.model.Xacml3JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Option;
import picocli.CommandLine.Parameters;
/**
* {@link Callable} allowing to call the PDP engine (adapters) from the command-line
* <p>
* TODO: implement tests: 1) with xacml-xml 2) with xacml-json 3/4) with/without catalog and with/without extension XSD.
*
*/
@Command(name = "authzforce-ce-core-pdp-cli", description = "Evaluates a XACML Request against a XACML Policy(Set) using AuthzForce PDP engine")
public final class PdpCommandLineCallable implements Callable<Void>
{
private static enum RequestType
{
XACML_XML, XACML_JSON;
}
/*
* WARNING: do not make picocli-annoated fields final here! Known issue: https://github.com/remkop/picocli/issues/68. Planned to be fixed in release 2.1.0.
*/
@Option(names = { "-t", "--type" }, description = "Type of XACML request/response: 'XACML_XML' for XACML 3.0/XML (XACML core specification), 'XACML_JSON' for XACML 3.0/JSON (JSON Profile of XACML 3.0)")
private RequestType requestType = RequestType.XACML_XML;
@Parameters(index = "0", description = "Path to PDP configuration file, valid against schema located at https://github.com/authzforce/core/blob/release-X.Y.Z/pdp-engine/src/main/resources/pdp.xsd (X.Y.Z is the version provided by -v option)")
private File confFile;
@Option(names = { "-c", "--catalog" }, description = "Path to XML catalog for resolving schemas used in extensions XSD specified by -e option, required only if -e specified")
private String catalogLocation = null;
@Option(names = { "-e", "--extensions" }, description = "Path to extensions XSD (contains XSD namespace imports for all extensions used in the PDP configuration), required only if using any extension in the PDP configuration file")
private String extensionXsdLocation = null;
@Parameters(index = "1", description = "XACML Request (format determined by -t option)")
private File reqFile;
@Option(names = { "-p", "--prettyprint" }, description = "Pretty-print output with line feeds and indentation")
private boolean formattedOutput = false;
@Override
public Void call() throws Exception
{
final PdpEngineConfiguration configuration = PdpEngineConfiguration.getInstance(confFile, catalogLocation, extensionXsdLocation);
System.out.println();
switch (requestType)
{
case XACML_JSON:
final JSONObject jsonRequest;
try (InputStream inputStream = new FileInputStream(reqFile))
{
jsonRequest = new JSONObject(new JSONTokener(inputStream));
if (!jsonRequest.has("Request"))
{
throw new IllegalArgumentException("Invalid XACML JSON Request file: " + reqFile + ". Expected root key: \"Request\"");
}
Xacml3JsonUtils.REQUEST_SCHEMA.validate(jsonRequest);
}
final DecisionResultPostprocessor<IndividualXacmlJsonRequest, JSONObject> defaultResultPostproc = new BaseXacmlJsonResultPostprocessor(
configuration.getClientRequestErrorVerbosityLevel());
final DecisionRequestPreprocessor<JSONObject, IndividualXacmlJsonRequest> defaultReqPreproc = SingleDecisionXacmlJsonRequestPreprocessor.LaxVariantFactory.INSTANCE.getInstance(
configuration.getAttributeValueFactoryRegistry(), configuration.isStrictAttributeIssuerMatchEnabled(), configuration.isXpathEnabled(), XmlUtils.SAXON_PROCESSOR,
defaultResultPostproc.getFeatures());
final PdpEngineInoutAdapter<JSONObject, JSONObject> jsonPdpEngineAdapter = PdpEngineAdapters.newInoutAdapter(JSONObject.class, JSONObject.class, configuration, defaultReqPreproc,
defaultResultPostproc);
final JSONObject jsonResponse = jsonPdpEngineAdapter.evaluate(jsonRequest);
System.out.println(jsonResponse.toString(formattedOutput ? 4 : 0));
break;
default:
final XmlnsFilteringParser parser = XacmlJaxbParsingUtils.getXacmlParserFactory(true).getInstance();
final Object request = parser.parse(reqFile.toURI().toURL());
if (!(request instanceof Request))
{
throw new IllegalArgumentException("Invalid XACML/XML Request file (according to XACML 3.0 schema): " + reqFile);
}
final PdpEngineInoutAdapter<Request, Response> xmlPdpEngineAdapter = PdpEngineAdapters.newXacmlJaxbInoutAdapter(configuration);
final Response xmlResponse = xmlPdpEngineAdapter.evaluate((Request) request, parser.getNamespacePrefixUriMap());
final Marshaller marshaller = Xacml3JaxbHelper.createXacml3Marshaller();
marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, formattedOutput);
marshaller.marshal(xmlResponse, System.out);
break;
}
System.out.println();
return null;
}
/**
* Method used for the command-line
*
* @param args
* CLI args
*/
public static void main(final String[] args)
{
CommandLine.call(new PdpCommandLineCallable(), System.out, args);
}
}
org.ow2.authzforce.core.pdp.io.xacml.json.SingleDecisionXacmlJsonRequestPreprocessor$LaxVariantFactory
org.ow2.authzforce.core.pdp.io.xacml.json.SingleDecisionXacmlJsonRequestPreprocessor$StrictVariantFactory
org.ow2.authzforce.core.pdp.io.xacml.json.BaseXacmlJsonResultPostprocessor$Factory
<?xml version="1.0" encoding="UTF-8"?>
<!-- For assistance related to logback-translator or configuration -->
<!-- files in general, please contact the logback user mailing list -->
<!-- at http://www.qos.ch/mailman/listinfo/logback-user -->
<!-- -->
<!-- For professional support please see -->
<!-- http://www.qos.ch/shop/products/professionalSupport -->
<!-- -->
<!-- More information: http://logback.qos.ch/faq.html#sharedConfiguration -->
<configuration>
<appender name="stdout" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%-4r [%t] [%d] %5p [%C:%M] \(%F:%L\) - %m%n</pattern>
<!-- Pattern mitigating CRLF injection -->
<!-- <pattern>%-4r [%t] [%d] %5p [%C:%M] \(%F:%L\) - %replace(%m){'\r?\n','<NEWLINE>'}%n</pattern> -->
</encoder>
</appender>
<logger name="org.ow2.authzforce" additivity="false" level="ERROR">
<appender-ref ref="stdout" />
</logger>
<!-- <logger name="org.apache.http" additivity="false" level="DEBUG"> <appender-ref
ref="error" /> </logger> <logger name="org.apache.http.wire" level="ERROR">
<appender-ref ref="error" /> </logger> -->
<root level="ERROR">
<appender-ref ref="stdout" />
</root>
</configuration>