Commit 892a9f2f authored by cdanger's avatar cdanger

- Fixed PDP schema: remove fixed max (100) for maxVarRefDepth and

MaxPolicyRefDepth
- Javadoc fix: removed @author from all source files
parent 43fd6600
......@@ -26,10 +26,9 @@ package com.sun.xacml;
import java.util.Objects;
/**
* This class represents a port range as specified in the <code>dnsName</code> and <code>ipAddress</code> datatypes. The range may have upper and lower bounds,
* be specified by a single port number, or may be unbound.
*
* @author cdangerv
* This class represents a port range as specified in the <code>dnsName</code> and <code>ipAddress</code> datatypes. The range may have upper and lower bounds, be specified by a single port number, or
* may be unbound.
*
* @version $Id: $
*/
public final class PortRange
......@@ -53,8 +52,7 @@ public final class PortRange
}
/**
* Creates a <code>PortRange</code> with upper and lower bounds. Either of the parameters may have the value <code>UNBOUND</code> meaning that there is no
* bound at the respective end.
* Creates a <code>PortRange</code> with upper and lower bounds. Either of the parameters may have the value <code>UNBOUND</code> meaning that there is no bound at the respective end.
*
* @param lowerBound
* the lower-bound port number or <code>UNBOUND</code>
......@@ -116,8 +114,8 @@ public final class PortRange
}
/**
* Returns the lower-bound port value. If the range is not lower-bound, then this returns <code>UNBOUND</code>. If the range is actually a single port
* number, then this returns the same value as <code>getUpperBound</code>.
* Returns the lower-bound port value. If the range is not lower-bound, then this returns <code>UNBOUND</code>. If the range is actually a single port number, then this returns the same value as
* <code>getUpperBound</code>.
*
* @return the upper-bound
*/
......@@ -127,8 +125,8 @@ public final class PortRange
}
/**
* Returns the upper-bound port value. If the range is not upper-bound, then this returns <code>UNBOUND</code>. If the range is actually a single port
* number, then this returns the same value as <code>getLowerBound</code>.
* Returns the upper-bound port value. If the range is not upper-bound, then this returns <code>UNBOUND</code>. If the range is actually a single port number, then this returns the same value as
* <code>getLowerBound</code>.
*
* @return the upper-bound
*/
......@@ -168,8 +166,7 @@ public final class PortRange
}
/**
* Returns whether the range is unbound, which means that it specifies no port number or range. This is typically used with addresses that include no port
* information.
* Returns whether the range is unbound, which means that it specifies no port number or range. This is typically used with addresses that include no port information.
*
* @return true if the range is unbound, false otherwise
*/
......@@ -215,7 +212,9 @@ public final class PortRange
}
/**
* <p>encode</p>
* <p>
* encode
* </p>
*
* @return encoded port range
*/
......
......@@ -29,7 +29,6 @@ import org.slf4j.LoggerFactory;
/**
* XACML AllOf evaluator
*
* @author cdangerv
* @version $Id: $
*/
public class AllOfEvaluator
......@@ -145,7 +144,6 @@ public class AllOfEvaluator
}
// No False but at least one Indeterminate (lastIndeterminate != null)
throw new IndeterminateEvaluationException("Error evaluating <AllOf>'s <Match>#" + lastIndeterminateChildIndex, lastIndeterminate.getStatusCode(),
lastIndeterminate);
throw new IndeterminateEvaluationException("Error evaluating <AllOf>'s <Match>#" + lastIndeterminateChildIndex, lastIndeterminate.getStatusCode(), lastIndeterminate);
}
}
......@@ -32,7 +32,6 @@ import org.slf4j.LoggerFactory;
/**
* AnyOf evaluator
*
* @author cdangerv
* @version $Id: $
*/
public class AnyOfEvaluator
......@@ -84,8 +83,8 @@ public class AnyOfEvaluator
}
/**
* Determines whether this <code>AnyOf</code> matches the input request (whether it is applicable). If all the AllOf values is No_Match so it's a No_Match.
* If all matches it's a Match. If None matches and at least one “Indeterminate�? it's Indeterminate
* Determines whether this <code>AnyOf</code> matches the input request (whether it is applicable). If all the AllOf values is No_Match so it's a No_Match. If all matches it's a Match. If None
* matches and at least one “Indeterminate�? it's Indeterminate
*
* <pre>
* AllOf values AnyOf value
......@@ -151,8 +150,7 @@ public class AnyOfEvaluator
}
// No Match and at least one Indeterminate (lastIndeterminate != null) -> Indeterminate
throw new IndeterminateEvaluationException("Error evaluating <AnyOf>'s <AllOf>#" + lastIndeterminateChildIndex, lastIndeterminate.getStatusCode(),
lastIndeterminate);
throw new IndeterminateEvaluationException("Error evaluating <AnyOf>'s <AllOf>#" + lastIndeterminateChildIndex, lastIndeterminate.getStatusCode(), lastIndeterminate);
}
}
......@@ -39,7 +39,6 @@ import org.slf4j.LoggerFactory;
/**
* XACML AttributeAssignmentExpression evaluator
*
* @author cdangerv
* @version $Id: $
*/
public class AttributeAssignmentExpressionEvaluator extends AttributeAssignmentExpression
......@@ -48,8 +47,7 @@ public class AttributeAssignmentExpressionEvaluator extends AttributeAssignmentE
private final transient Expression<?> evaluatableExpression;
private static final UnsupportedOperationException UNSUPPORTED_SET_EXPRESSION_OPERATION_EXCEPTION = new UnsupportedOperationException(
"Unsupported operation: 'Expression' attribute is read-only");
private static final UnsupportedOperationException UNSUPPORTED_SET_EXPRESSION_OPERATION_EXCEPTION = new UnsupportedOperationException("Unsupported operation: 'Expression' attribute is read-only");
/*
* (non-Javadoc)
......@@ -76,8 +74,7 @@ public class AttributeAssignmentExpressionEvaluator extends AttributeAssignmentE
}
/**
* Instantiates evaluatable AttributeAssignment expression from XACML-Schema-derived JAXB
* {@link oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeAssignmentExpression}
* Instantiates evaluatable AttributeAssignment expression from XACML-Schema-derived JAXB {@link oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeAssignmentExpression}
*
* @param jaxbAttrAssignExp
* XACML-schema-derived JAXB AttributeAssignmentExpression
......@@ -88,8 +85,7 @@ public class AttributeAssignmentExpressionEvaluator extends AttributeAssignmentE
* @throws java.lang.IllegalArgumentException
* invalid AttributeAssignmentExpression's Expression
*/
public AttributeAssignmentExpressionEvaluator(AttributeAssignmentExpression jaxbAttrAssignExp, XPathCompiler xPathCompiler, ExpressionFactory expFactory)
throws IllegalArgumentException
public AttributeAssignmentExpressionEvaluator(AttributeAssignmentExpression jaxbAttrAssignExp, XPathCompiler xPathCompiler, ExpressionFactory expFactory) throws IllegalArgumentException
{
// JAXB fields
this.attributeId = jaxbAttrAssignExp.getAttributeId();
......@@ -105,10 +101,9 @@ public class AttributeAssignmentExpressionEvaluator extends AttributeAssignmentE
}
/**
* Evaluates to AttributeAssignments Section 5.39 and 5.40 of XACML 3.0 core spec: If an AttributeAssignmentExpression evaluates to an atomic attribute
* value, then there MUST be one resulting AttributeAssignment which MUST contain this single attribute value. If the AttributeAssignmentExpression
* evaluates to a bag, then there MUST be a resulting AttributeAssignment for each of the values in the bag. If the bag is empty, there shall be no
* AttributeAssignment from this AttributeAssignmentExpression
* Evaluates to AttributeAssignments Section 5.39 and 5.40 of XACML 3.0 core spec: If an AttributeAssignmentExpression evaluates to an atomic attribute value, then there MUST be one resulting
* AttributeAssignment which MUST contain this single attribute value. If the AttributeAssignmentExpression evaluates to a bag, then there MUST be a resulting AttributeAssignment for each of the
* values in the bag. If the bag is empty, there shall be no AttributeAssignment from this AttributeAssignmentExpression
*
* @param context
* evaluation context
......@@ -127,21 +122,20 @@ public class AttributeAssignmentExpressionEvaluator extends AttributeAssignmentE
// result is a bag
final Bag<?> bag = (Bag<?>) result;
/*
* Bag may be empty, in particular if AttributeDesignator/AttributeSelector with MustBePresent=False evaluates to empty bag. Sections 5.30/5.40 of
* XACML core spec says: "If the bag is empty, there shall be no <AttributeAssignment> from this <AttributeAssignmentExpression>."
* Bag may be empty, in particular if AttributeDesignator/AttributeSelector with MustBePresent=False evaluates to empty bag. Sections 5.30/5.40 of XACML core spec says:
* "If the bag is empty, there shall be no <AttributeAssignment> from this <AttributeAssignmentExpression>."
*/
for (final AttributeValue attrVal : bag)
{
final AttributeAssignment attrAssignment = new AttributeAssignment(attrVal.getContent(), attrVal.getDataType(), attrVal.getOtherAttributes(),
this.attributeId, this.category, this.issuer);
final AttributeAssignment attrAssignment = new AttributeAssignment(attrVal.getContent(), attrVal.getDataType(), attrVal.getOtherAttributes(), this.attributeId, this.category,
this.issuer);
attrAssignList.add(attrAssignment);
}
} else
{
// atomic (see spec §5.30, 5.40) / primitive attribute value
final AttributeValue attrVal = (AttributeValue) result;
final AttributeAssignment attrAssignment = new AttributeAssignment(attrVal.getContent(), attrVal.getDataType(), attrVal.getOtherAttributes(),
this.attributeId, this.category, this.issuer);
final AttributeAssignment attrAssignment = new AttributeAssignment(attrVal.getContent(), attrVal.getDataType(), attrVal.getOtherAttributes(), this.attributeId, this.category, this.issuer);
attrAssignList.add(attrAssignment);
}
......
......@@ -32,13 +32,11 @@ import org.ow2.authzforce.core.pdp.api.PepActions;
/**
* Base implementation of DecisionResult
*
* @author cdangerv
* @version $Id: $
*/
public final class BaseDecisionResult implements DecisionResult
{
private static final IllegalArgumentException ILLEGAL_DECISION_ARGUMENT_EXCEPTION = new IllegalArgumentException(
"Undefined Decision");
private static final IllegalArgumentException ILLEGAL_DECISION_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined Decision");
/**
* NotApplicable decision result
......@@ -58,15 +56,13 @@ public final class BaseDecisionResult implements DecisionResult
private final DecisionType decision;
/**
* Extended Indeterminate value, as defined in section 7.10 of XACML 3.0 core: <i>potential effect value which could
* have occurred if there would not have been an error causing the “Indeterminate”</i>. We use the following
* convention:
* Extended Indeterminate value, as defined in section 7.10 of XACML 3.0 core: <i>potential effect value which could have occurred if there would not have been an error causing the
* “Indeterminate”</i>. We use the following convention:
* <ul>
* <li>{@link DecisionType#DENY} means "Indeterminate{D}"</li>
* <li>{@link DecisionType#PERMIT} means "Indeterminate{P}"</li>
* <li>Null means "Indeterminate{DP}"</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not Indeterminate, and
* therefore any extended Indeterminate value should be ignored</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not Indeterminate, and therefore any extended Indeterminate value should be ignored</li>
* </ul>
*
*/
......@@ -94,8 +90,7 @@ public final class BaseDecisionResult implements DecisionResult
* @param policyIdentifierList
* list of matched policy identifiers
*/
public BaseDecisionResult(DecisionType decision, DecisionType extendedIndeterminate, Status status,
PepActions pepActions, List<JAXBElement<IdReferenceType>> policyIdentifierList)
public BaseDecisionResult(DecisionType decision, DecisionType extendedIndeterminate, Status status, PepActions pepActions, List<JAXBElement<IdReferenceType>> policyIdentifierList)
{
if (decision == null)
{
......@@ -106,8 +101,7 @@ public final class BaseDecisionResult implements DecisionResult
this.extIndeterminate = extendedIndeterminate;
this.status = status;
this.pepActions = pepActions == null ? new BasePepActions(null, null) : pepActions;
this.applicablePolicyIdList = policyIdentifierList == null ? new ArrayList<JAXBElement<IdReferenceType>>()
: policyIdentifierList;
this.applicablePolicyIdList = policyIdentifierList == null ? new ArrayList<JAXBElement<IdReferenceType>>() : policyIdentifierList;
}
......@@ -120,8 +114,7 @@ public final class BaseDecisionResult implements DecisionResult
* <li>{@link DecisionType#DENY} means "Indeterminate{D}"</li>
* <li>{@link DecisionType#PERMIT} means "Indeterminate{P}"</li>
* <li>{@link DecisionType#INDETERMINATE} means "Indeterminate{DP}"</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not
* Indeterminate, and therefore any extended Indeterminate value should be ignored</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not Indeterminate, and therefore any extended Indeterminate value should be ignored</li>
* </ul>
* @param status
* reason/code for Indeterminate
......@@ -132,8 +125,7 @@ public final class BaseDecisionResult implements DecisionResult
}
/**
* Instantiates a Indeterminate Decision result with a given error status and extended Indeterminate set to
* Indeterminate{DP}
* Instantiates a Indeterminate Decision result with a given error status and extended Indeterminate set to Indeterminate{DP}
*
* @param status
* reason/code for Indeterminate
......@@ -144,9 +136,7 @@ public final class BaseDecisionResult implements DecisionResult
}
/**
* Instantiates a Permit/Deny decision with optional obligations and advice. See
* {@link #BaseDecisionResult(Status, DecisionType)} for Indeterminate, and {@link #NOT_APPLICABLE} for
* NotApplicable.
* Instantiates a Permit/Deny decision with optional obligations and advice. See {@link #BaseDecisionResult(Status, DecisionType)} for Indeterminate, and {@link #NOT_APPLICABLE} for NotApplicable.
*
* @param decision
* decision
......@@ -166,8 +156,7 @@ public final class BaseDecisionResult implements DecisionResult
{
if (hashCode == 0)
{
hashCode = Objects.hash(this.decision, this.extIndeterminate, this.status, this.pepActions,
this.applicablePolicyIdList);
hashCode = Objects.hash(this.decision, this.extIndeterminate, this.status, this.pepActions, this.applicablePolicyIdList);
}
return hashCode;
......@@ -273,8 +262,7 @@ public final class BaseDecisionResult implements DecisionResult
/**
* {@inheritDoc}
*
* Merge extra PEP actions and/or matched policy identifiers. Used when combining results from child Rules of Policy
* or child Policies of PolicySet
* Merge extra PEP actions and/or matched policy identifiers. Used when combining results from child Rules of Policy or child Policies of PolicySet
*/
@Override
public void merge(PepActions newPepActions, List<JAXBElement<IdReferenceType>> newMatchedPolicyIdList)
......@@ -294,8 +282,7 @@ public final class BaseDecisionResult implements DecisionResult
@Override
public String toString()
{
return "Result [decision=" + decision + ", status=" + status + ", pepActions=" + pepActions
+ ", applicablePolicyIdList=" + applicablePolicyIdList + "]";
return "Result [decision=" + decision + ", status=" + status + ", pepActions=" + pepActions + ", applicablePolicyIdList=" + applicablePolicyIdList + "]";
}
/** {@inheritDoc} */
......
......@@ -27,7 +27,6 @@ import org.slf4j.LoggerFactory;
*
* @param <T>
* type of extension in this registry
* @author cdangerv
* @version $Id: $
*/
public class BasePdpExtensionRegistry<T extends PdpExtension> implements PdpExtensionRegistry<T>
......@@ -110,8 +109,8 @@ public class BasePdpExtensionRegistry<T extends PdpExtension> implements PdpExte
}
/**
* Constructor that sets a "base registry" from which this inherits all the extensions. Used for instance to build a new registry based on a standard one
* like the StandardFunctionRegistry for standard functions).
* Constructor that sets a "base registry" from which this inherits all the extensions. Used for instance to build a new registry based on a standard one like the StandardFunctionRegistry for
* standard functions).
*
* @param baseRegistry
* the base/parent registry on which this one is based or null
......
......@@ -30,7 +30,6 @@ import org.ow2.authzforce.core.pdp.api.PepActions;
/**
* Base PEP actions (obligations/advice)
*
* @author cdangerv
* @version $Id: $
*/
public final class BasePepActions implements PepActions
......
......@@ -34,11 +34,10 @@ import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeProvider;
/**
* Closeable AttributeProvider
* <p>
* The sub-modules may very likely hold resources such as network resources to get attributes remotely, or attribute caches to speed up finding, etc. Therefore,
* you are required to call {@link #close()} when you no longer need an instance - especially before replacing with a new instance (with different modules) - in
* order to make sure these resources are released properly by each underlying module (e.g. close the attribute caches).
* The sub-modules may very likely hold resources such as network resources to get attributes remotely, or attribute caches to speed up finding, etc. Therefore, you are required to call
* {@link #close()} when you no longer need an instance - especially before replacing with a new instance (with different modules) - in order to make sure these resources are released properly by each
* underlying module (e.g. close the attribute caches).
*
* @author cdangerv
* @version $Id: $
*/
public final class CloseableAttributeProvider extends ModularAttributeProvider implements Closeable
......@@ -107,21 +106,19 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
private Set<ModuleAdapter> moduleClosers;
/**
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query the {@code module} providing the
* requested attribute ID, if any.
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query the {@code module} providing the requested attribute ID, if any.
*
* @param attributeFactory
* (mandatory) attribute value factory
*
* @param jaxbAttributeProviderConfs
* (optional) XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static
* expression evaluation (out of context), in which case AttributeSelectors/AttributeDesignators are not supported
* (optional) XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static expression evaluation (out of context), in
* which case AttributeSelectors/AttributeDesignators are not supported
* @throws IllegalArgumentException
* If any of attribute Provider modules created from {@code jaxbAttributeProviderConfs} does not provide any attribute; or it is in conflict
* with another one already registered to provide the same or part of the same attributes.
* If any of attribute Provider modules created from {@code jaxbAttributeProviderConfs} does not provide any attribute; or it is in conflict with another one already registered to
* provide the same or part of the same attributes.
* @throws IOException
* error closing the attribute Provider modules created from {@code jaxbAttributeProviderConfs}, when and before an
* {@link IllegalArgumentException} is raised
* error closing the attribute Provider modules created from {@code jaxbAttributeProviderConfs}, when and before an {@link IllegalArgumentException} is raised
*/
private CloseableAttributeProvider(Map<AttributeGUID, AttributeProviderModule> modulesByAttributeId, Set<ModuleAdapter> moduleClosers) throws IOException
{
......@@ -130,24 +127,21 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
}
/**
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query the {@code module} providing the
* requested attribute ID, if any.
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query the {@code module} providing the requested attribute ID, if any.
*
* @param attributeFactory
* (mandatory) attribute value factory
* @param jaxbAttributeProviderConfs
* (optional) XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static
* expression evaluation (out of context), in which case AttributeSelectors/AttributeDesignators are not supported
* (optional) XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static expression evaluation (out of context), in
* which case AttributeSelectors/AttributeDesignators are not supported
* @return instance of this class
* @throws java.lang.IllegalArgumentException
* If any of attribute Provider modules created from {@code jaxbAttributeProviderConfs} does not provide any attribute; or it is in conflict
* with another one already registered to provide the same or part of the same attributes.
* If any of attribute Provider modules created from {@code jaxbAttributeProviderConfs} does not provide any attribute; or it is in conflict with another one already registered to
* provide the same or part of the same attributes.
* @throws java.io.IOException
* error closing the attribute Provider modules created from {@code jaxbAttributeProviderConfs}, when and before an
* {@link IllegalArgumentException} is raised
* error closing the attribute Provider modules created from {@code jaxbAttributeProviderConfs}, when and before an {@link IllegalArgumentException} is raised
*/
public static CloseableAttributeProvider getInstance(List<AbstractAttributeProvider> jaxbAttributeProviderConfs, DatatypeFactoryRegistry attributeFactory)
throws IOException
public static CloseableAttributeProvider getInstance(List<AbstractAttributeProvider> jaxbAttributeProviderConfs, DatatypeFactoryRegistry attributeFactory) throws IOException
{
final Map<AttributeGUID, AttributeProviderModule> modulesByAttributeId;
final Set<ModuleAdapter> moduleCloserSet;
......@@ -164,15 +158,14 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
{
try
{
final CloseableAttributeProviderModule.FactoryBuilder<AbstractAttributeProvider> attrProviderModBuilder = PdpExtensionLoader
.getJaxbBoundExtension(CloseableAttributeProviderModule.FactoryBuilder.class, jaxbAttributeProviderConf.getClass());
final CloseableAttributeProviderModule.DependencyAwareFactory depAwareAttrProviderModBuilder = attrProviderModBuilder
.getInstance(jaxbAttributeProviderConf);
final CloseableAttributeProviderModule.FactoryBuilder<AbstractAttributeProvider> attrProviderModBuilder = PdpExtensionLoader.getJaxbBoundExtension(
CloseableAttributeProviderModule.FactoryBuilder.class, jaxbAttributeProviderConf.getClass());
final CloseableAttributeProviderModule.DependencyAwareFactory depAwareAttrProviderModBuilder = attrProviderModBuilder.getInstance(jaxbAttributeProviderConf);
final Set<AttributeDesignatorType> requiredAttrs = depAwareAttrProviderModBuilder.getDependencies();
/*
* Each AttributeProviderModule is given a read-only AttributeProvider - aka "dependency attribute Provider" - to find any attribute they
* require (dependency), based on the attribute Provider modules that provide these required attributes (set above); read-only so that
* modules use this attribute Provider only to get required attributes, nothing else. Create this dependency attribute Provider.
* Each AttributeProviderModule is given a read-only AttributeProvider - aka "dependency attribute Provider" - to find any attribute they require (dependency), based on the
* attribute Provider modules that provide these required attributes (set above); read-only so that modules use this attribute Provider only to get required attributes, nothing
* else. Create this dependency attribute Provider.
*/
final AttributeProvider depAttrProvider;
if (requiredAttrs == null)
......@@ -195,8 +188,7 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
if (modulesByAttributeId.containsKey(attrGUID))
{
moduleAdapter.close();
throw new IllegalArgumentException("Conflict: " + moduleAdapter + " providing the same AttributeDesignator (" + attrGUID
+ ") as another already registered.");
throw new IllegalArgumentException("Conflict: " + moduleAdapter + " providing the same AttributeDesignator (" + attrGUID + ") as another already registered.");
}
modulesByAttributeId.put(attrGUID, moduleAdapter.getAdaptedModule());
......
......@@ -24,7 +24,6 @@ import org.springframework.util.PropertyPlaceholderHelper;
/**
* Default implementation of PDP configuration parser's environment properties.
*
* @author cdangerv
* @version $Id: $
*/
public final class DefaultEnvironmentProperties implements EnvironmentProperties
......@@ -33,8 +32,8 @@ public final class DefaultEnvironmentProperties implements EnvironmentProperties
private static final String PROPERTY_PLACEHOLDER_SUFFIX = "}";
private static final String PROPERTY_PLACEHOLDER_DEFAULT_VALUE_SEPARATOR = ":";
private static final PropertyPlaceholderHelper PROPERTY_PLACEHOLDER_HELPER = new PropertyPlaceholderHelper(PROPERTY_PLACEHOLDER_PREFIX,
PROPERTY_PLACEHOLDER_SUFFIX, PROPERTY_PLACEHOLDER_DEFAULT_VALUE_SEPARATOR, false);
private static final PropertyPlaceholderHelper PROPERTY_PLACEHOLDER_HELPER = new PropertyPlaceholderHelper(PROPERTY_PLACEHOLDER_PREFIX, PROPERTY_PLACEHOLDER_SUFFIX,
PROPERTY_PLACEHOLDER_DEFAULT_VALUE_SEPARATOR, false);
private final Properties props = new Properties();
......
......@@ -19,6 +19,10 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import org.ow2.authzforce.core.pdp.api.BaseRequestFilter;
import org.ow2.authzforce.core.pdp.api.DatatypeFactoryRegistry;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
......@@ -28,22 +32,17 @@ import org.ow2.authzforce.core.pdp.api.RequestFilter;
import org.ow2.authzforce.core.pdp.api.SingleCategoryAttributes;
import org.ow2.authzforce.core.pdp.api.StatusHelper;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
/**
* Default Request filter for Individual Decision Requests only (no support of Multiple Decision Profile in particular)
*
* @author cdangerv
* @version $Id: $
*/
public final class DefaultRequestFilter extends BaseRequestFilter
{
/**
*
* Factory for this type of request filter that allows duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request
* (complying with XACML 3.0 core spec, §7.3.3).
* Factory for this type of request filter that allows duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request (complying with XACML 3.0 core spec,
* §7.3.3).
*
*/
public static final class LaxFilterFactory implements RequestFilter.Factory
......@@ -74,8 +73,8 @@ public final class DefaultRequestFilter extends BaseRequestFilter
/**
*
* Factory for this type of request filter that does NOT allow duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a
* Request (NOT complying fully with XACML 3.0 core spec, §7.3.3).
* Factory for this type of request filter that does NOT allow duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request (NOT complying fully with XACML
* 3.0 core spec, §7.3.3).
*
*/
public static final class StrictFilterFactory implements RequestFilter.Factory
......@@ -95,19 +94,20 @@ public final class DefaultRequestFilter extends BaseRequestFilter
}
}
private DefaultRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, Processor xmlProcessor)
private DefaultRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath,
Processor xmlProcessor)
{
super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, xmlProcessor);
}
/** {@inheritDoc} */
@Override
public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser, boolean isApplicablePolicyIdListReturned, boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser, boolean isApplicablePolicyIdListReturned,
boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
{
/*
* No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple Decision Profile. So we keep track of
* attribute categories to check duplicates.
* No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple Decision Profile. So we keep track of attribute categories to check duplicates.
*/
final Set<String> attrCategoryNames = new HashSet<>();
final MutableIndividualDecisionRequest individualDecisionRequest;
......@@ -124,7 +124,8 @@ public final class DefaultRequestFilter extends BaseRequestFilter
final String categoryName = jaxbAttributes.getCategory();
if (!attrCategoryNames.add(categoryName))
{
throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName + "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", StatusHelper.STATUS_SYNTAX_ERROR);
throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName
+ "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", StatusHelper.STATUS_SYNTAX_ERROR);
}
final SingleCategoryAttributes<?> categorySpecificAttributes = xacmlAttrsParser.parseAttributes(jaxbAttributes, xPathCompiler);
......
......@@ -36,10 +36,9 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* An {@link EvaluationContext} associated to an XACML Individual Decision Request, i.e. for evaluation to a single authorization decision Result (see Multiple
* Decision Profile spec for more information on Individual Decision Request as opposed to Multiple Decision Request).
* An {@link EvaluationContext} associated to an XACML Individual Decision Request, i.e. for evaluation to a single authorization decision Result (see Multiple Decision Profile spec for more
* information on Individual Decision Request as opposed to Multiple Decision Request).
*
* @author cdangerv
* @version $Id: $
*/
public class IndividualDecisionRequestContext implements EvaluationContext
......@@ -49,8 +48,8 @@ public class IndividualDecisionRequestContext implements EvaluationContext
*/
private static final Logger LOGGER = LoggerFactory.getLogger(IndividualDecisionRequestContext.class);
private static final IndeterminateEvaluationException UNSUPPORTED_ATTRIBUTE_SELECTOR_EXCEPTION = new IndeterminateEvaluationException(
"Unsupported XACML feature (optional): <AttributeSelector>", StatusHelper.STATUS_SYNTAX_ERROR);
private static final IndeterminateEvaluationException UNSUPPORTED_ATTRIBUTE_SELECTOR_EXCEPTION = new IndeterminateEvaluationException("Unsupported XACML feature (optional): <AttributeSelector>",
StatusHelper.STATUS_SYNTAX_ERROR);
private final Map<AttributeGUID, Bag<?>> namedAttributes;
......@@ -61,8 +60,8 @@ public class IndividualDecisionRequestContext implements EvaluationContext
private final boolean isApplicablePolicyIdListReturned;
/*
* Corresponds to Attributes/Content (by attribute category) marshalled to XPath data model for XPath evaluation: AttributeSelector evaluation, XPath-based
* functions, etc. This may be null if no Content in Request or no feature requiring XPath evaluation against Content is supported/enabled.
* Corresponds to Attributes/Content (by attribute category) marshalled to XPath data model for XPath evaluation: AttributeSelector evaluation, XPath-based functions, etc. This may be null if no
* Content in Request or no feature requiring XPath evaluation against Content is supported/enabled.
*/
private final Map<String, XdmNode> extraContentsByAttributeCategory;
......@@ -72,19 +71,17 @@ public class IndividualDecisionRequestContext implements EvaluationContext
private final Map<AttributeSelectorId, Bag<?>> attributeSelectorResults;
/**
* Constructs a new <code>IndividualDecisionRequestContext</code> based on the given request attributes and extra contents with support for XPath evaluation
* against Content element in Attributes
* Constructs a new <code>IndividualDecisionRequestContext</code> based on the given request attributes and extra contents with support for XPath evaluation against Content element in Attributes
*
* @param namedAttributeMap
* mutable named attribute map (attribute key and value pairs) from the original Request; null iff none. An attribute key is a global ID based on
* attribute category,issuer,id. An attribute value is a bag of primitive values.
* mutable named attribute map (attribute key and value pairs) from the original Request; null iff none. An attribute key is a global ID based on attribute category,issuer,id. An
* attribute value is a bag of primitive values.
* @param extraContentsByAttributeCategory
* extra contents by attribute category (equivalent to XACML Attributes/Content elements); null iff no Content in the attribute category.
* @param returnApplicablePolicyIdList
* true iff list of IDs of policies matched during evaluation must be returned
*/
public IndividualDecisionRequestContext(Map<AttributeGUID, Bag<?>> namedAttributeMap, Map<String, XdmNode> extraContentsByAttributeCategory,
boolean returnApplicablePolicyIdList)
public IndividualDecisionRequestContext(Map<AttributeGUID, Bag<?>> namedAttributeMap, Map<String, XdmNode> extraContentsByAttributeCategory, boolean returnApplicablePolicyIdList)
{
this.namedAttributes = namedAttributeMap == null ? new HashMap<AttributeGUID, Bag<?>>() : namedAttributeMap;
this.extraContentsByAttributeCategory = extraContentsByAttributeCategory;
......@@ -100,14 +97,12 @@ public class IndividualDecisionRequestContext implements EvaluationContext
*/
public IndividualDecisionRequestContext(IndividualDecisionRequest individualDecisionReq)
{
this(individualDecisionReq.getNamedAttributes(), individualDecisionReq.getExtraContentsByCategory(), individualDecisionReq
.isApplicablePolicyIdentifiersReturned());
this(individualDecisionReq.getNamedAttributes(), individualDecisionReq.getExtraContentsByCategory(), individualDecisionReq.isApplicablePolicyIdentifiersReturned());
}
/** {@inheritDoc} */
@Override
public <AV extends AttributeValue> Bag<AV> getAttributeDesignatorResult(AttributeGUID attributeGUID, Datatype<AV> attributeDatatype)
throws IndeterminateEvaluationException
public <AV extends AttributeValue> Bag<AV> getAttributeDesignatorResult(AttributeGUID attributeGUID, Datatype<AV> attributeDatatype) throws IndeterminateEvaluationException
{
final Bag<?> bagResult = namedAttributes.get(attributeGUID);
if (bagResult == null)
......@@ -117,14 +112,9 @@ public class IndividualDecisionRequestContext implements EvaluationContext
if (!bagResult.getElementDatatype().equals(attributeDatatype))
{
throw new IndeterminateEvaluationException(
"Datatype ("
+ bagResult.getElementDatatype()
+ ") of AttributeDesignator "
+ attributeGUID
+ " in context is different from expected/requested ("
+ attributeDatatype
+ "). May be caused by refering to the same Attribute Category/Id/Issuer with different Datatypes in different policy elements and/or attribute providers, which is not allowed.",
throw new IndeterminateEvaluationException("Datatype (" + bagResult.getElementDatatype() + ") of AttributeDesignator " + attributeGUID
+ " in context is different from expected/requested (" + attributeDatatype
+ "). May be caused by refering to the same Attribute Category/Id/Issuer with different Datatypes in different policy elements and/or attribute providers, which is not allowed.",
StatusHelper.STATUS_SYNTAX_ERROR);
}
......@@ -143,9 +133,9 @@ public class IndividualDecisionRequestContext implements EvaluationContext
if (namedAttributes.containsKey(attributeGUID))
{
/*
* This should never happen, as getAttributeDesignatorResult() should have been called first (for same id) and returned this oldResult, and no
* further call to putAttributeDesignatorResultIfAbsent() in this case. In any case, we do not support setting a different result for same id (but
* different datatype URI/datatype class) in the same context
* This should never happen, as getAttributeDesignatorResult() should have been called first (for same id) and returned this oldResult, and no further call to
* putAttributeDesignatorResultIfAbsent() in this case. In any case, we do not support setting a different result for same id (but different datatype URI/datatype class) in the same
* context
*/
LOGGER.warn("Attempt to override value of AttributeDesignator {} already set in evaluation context. Overriding value: {}", attributeGUID, result);
return false;
......@@ -179,8 +169,8 @@ public class IndividualDecisionRequestContext implements EvaluationContext
return expectedDatatype.cast(val);
} catch (ClassCastException e)
{
throw new IndeterminateEvaluationException("Datatype of variable '" + variableId + "' in context does not match expected datatype: "
+ expectedDatatype, StatusHelper.STATUS_PROCESSING_ERROR, e);
throw new IndeterminateEvaluationException("Datatype of variable '" + variableId + "' in context does not match expected datatype: " + expectedDatatype,
StatusHelper.STATUS_PROCESSING_ERROR, e);
}
}
......@@ -206,8 +196,7 @@ public class IndividualDecisionRequestContext implements EvaluationContext
/** {@inheritDoc} */
@Override
public <AV extends AttributeValue> Bag<AV> getAttributeSelectorResult(AttributeSelectorId id, Datatype<AV> datatype)
throws IndeterminateEvaluationException