Commit a06326ee authored by cdanger's avatar cdanger

Merge branch 'release/6.1.0'

parents 48179e21 9f6e1f73
......@@ -2,6 +2,17 @@
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions.
## 6.1.0
### Changed
- Parent project version: 4.0.0 -> 4.1.1 => Changed dependency versions:
- Spring 4.3.4 -> 4.3.5,
- Saxon-HE 9.7.0-11 -> 9.7.0-14
- authzforce-ce-core-pdp-api dependency version: 8.0.0 -> 8.2.0
### Fixed
- Security issues reported by Find Security Bugs plugin
## 6.0.0
### Added
- Extension mechanism to switch HashMap/HashSet implementation; default implementation is based on native JRE and Guava.
......@@ -25,6 +36,7 @@ All notable changes to this project are documented in this file following the [K
- OW2 #AUTHZFORCE-23: enforcement of RuleId/PolicyId/PolicySetId uniqueness:
- PolicyId (resp. PolicySetId) should be unique across all policies loaded by PDP so that PolicyIdReferences (resp. PolicySetIdReferences) in Responses' PolicyIdentifierList are absolute references to applicable policies (no ambiguity).
- [RuleId should be unique within a policy](https://lists.oasis-open.org/archives/xacml/201310/msg00025.html) -> A rule is globally uniquely identified by the parent PolicyId and the RuleId.
- OW2 #AUTHZFORCE-25: NullPointerException when parsing Apply expressions using invalid/unsupported Function ID
## 5.0.2
......
<?xml version="1.0"?>
<!--
This file contains some false positive bugs detected by Findbugs. Their
false positive nature has been analyzed individually and they have been
put here to instruct Findbugs to ignore them.
-->
<FindBugsFilter>
<Match>
<!-- CRLF injection in logs is considered fixed in the logger configuration, e.g. logback.xml.
More info: https://github.com/find-sec-bugs/find-sec-bugs/issues/240
-->
<Bug pattern="CRLF_INJECTION_LOGS" />
</Match>
</FindBugsFilter>
\ No newline at end of file
......@@ -3,10 +3,10 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-parent</artifactId>
<version>4.0.0</version>
<version>4.1.1</version>
</parent>
<artifactId>authzforce-ce-core</artifactId>
<version>6.0.0</version>
<version>6.1.0</version>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthZForce Community Edition - XACML-compliant Core Engine</description>
<url>https://tuleap.ow2.org/projects/authzforce</url>
......@@ -42,7 +42,7 @@
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core-pdp-api</artifactId>
<version>8.0.0</version>
<version>8.2.0</version>
</dependency>
<!-- /Authzforce dependencies -->
......@@ -102,6 +102,9 @@
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<configuration>
<excludeFilterFile>findbugs-exclude-filter.xml</excludeFilterFile>
</configuration>
<executions>
<execution>
<phase>verify</phase>
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......@@ -190,13 +190,13 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
for (final AttributeDesignatorType attrDesignator : moduleAdapter.getProvidedAttributes())
{
final AttributeGUID attrGUID = new AttributeGUID(attrDesignator);
if (modulesByAttributeId.containsKey(attrGUID))
final AttributeProviderModule duplicate = modulesByAttributeId.putIfAbsent(attrGUID, moduleAdapter.getAdaptedModule());
if (duplicate != null)
{
moduleAdapter.close();
throw new IllegalArgumentException("Conflict: " + moduleAdapter + " providing the same AttributeDesignator (" + attrGUID + ") as another already registered.");
}
modulesByAttributeId.put(attrGUID, moduleAdapter.getAdaptedModule());
}
}
catch (final IllegalArgumentException e)
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......@@ -137,11 +137,11 @@ public final class DefaultRequestFilter extends BaseRequestFilter
final XdmNode newContentNode = categorySpecificAttributes.getExtraContent();
if (newContentNode != null)
{
final XdmNode oldContentNode = extraContentsByCategory.put(categoryName, newContentNode);
final XdmNode duplicate = extraContentsByCategory.putIfAbsent(categoryName, newContentNode);
/*
* No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple Decision Profile. So we must check duplicate attribute categories.
*/
if (oldContentNode != null)
if (duplicate != null)
{
throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName
+ "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", StatusHelper.STATUS_SYNTAX_ERROR);
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......@@ -161,7 +161,8 @@ public final class IndividualDecisionRequestContext implements EvaluationContext
@Override
public boolean putAttributeDesignatorResultIfAbsent(final AttributeGUID id, final Bag<?> result)
{
if (namedAttributes.containsKey(id))
final Bag<?> duplicate = namedAttributes.putIfAbsent(id, result);
if (duplicate != null)
{
/*
* This should never happen, as getAttributeDesignatorResult() should have been called first (for same id) and returned this oldResult, and no further call to
......@@ -175,7 +176,7 @@ public final class IndividualDecisionRequestContext implements EvaluationContext
/*
* Attribute value cannot change during evaluation context, so if old value already there, put it back
*/
return namedAttributes.put(id, result) == null;
return true;
}
/** {@inheritDoc} */
......@@ -210,13 +211,13 @@ public final class IndividualDecisionRequestContext implements EvaluationContext
@Override
public boolean putVariableIfAbsent(final String variableId, final Value value)
{
if (varValsById.containsKey(variableId))
if (varValsById.putIfAbsent(variableId, value) != null)
{
LOGGER.error("Attempt to override value of Variable '{}' already set in evaluation context. Overriding value: {}", variableId, value);
return false;
}
return varValsById.put(variableId, value) == null;
return true;
}
/** {@inheritDoc} */
......@@ -257,13 +258,13 @@ public final class IndividualDecisionRequestContext implements EvaluationContext
@Override
public boolean putAttributeSelectorResultIfAbsent(final AttributeSelectorId id, final Bag<?> result) throws IndeterminateEvaluationException
{
if (attributeSelectorResults.containsKey(id))
if (attributeSelectorResults.putIfAbsent(id, result) != null)
{
LOGGER.error("Attempt to override value of AttributeSelector {} already set in evaluation context. Overriding value: {}", id, result);
return false;
}
return attributeSelectorResults.put(id, result) == null;
return true;
}
/** {@inheritDoc} */
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......@@ -86,7 +86,7 @@ public final class MatchEvaluator
final FunctionExpression matchFunction = expFactory.getFunction(matchId);
if (matchFunction == null)
{
throw new IllegalArgumentException("Unsupported function for MatchId: " + matchId);
throw new IllegalArgumentException("Unsupported function for MatchId: '" + matchId + "'");
}
// next, get the designator or selector being used, and the attribute
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......@@ -109,8 +109,8 @@ public final class MutableIndividualDecisionRequest implements IndividualDecisio
final XdmNode newContentNode = categorySpecificAttributes.getExtraContent();
if (newContentNode != null)
{
final XdmNode oldContentNode = extraContentsByCategory.put(categoryName, newContentNode);
if (oldContentNode != null)
final XdmNode duplicate = extraContentsByCategory.putIfAbsent(categoryName, newContentNode);
if (duplicate != null)
{
throw new IllegalArgumentException("Duplicate Attributes[@Category] in Individual Decision Request (not allowed): " + categoryName);
}
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......@@ -83,10 +83,10 @@ public final class PdpExtensionLoader
if (extension instanceof JaxbBoundPdpExtension<?>)
{
final JaxbBoundPdpExtension<?> jaxbBoundExt = (JaxbBoundPdpExtension<?>) extension;
final JaxbBoundPdpExtension<?> conflictingExt = mutableJaxbBoundExtMapByClass.put(jaxbBoundExt.getJaxbClass(), jaxbBoundExt);
if (conflictingExt != null)
final JaxbBoundPdpExtension<?> duplicate = mutableJaxbBoundExtMapByClass.putIfAbsent(jaxbBoundExt.getJaxbClass(), jaxbBoundExt);
if (duplicate != null)
{
throw new IllegalArgumentException("Extension " + jaxbBoundExt + " (" + jaxbBoundExt.getClass() + ") is conflicting with " + conflictingExt + "(" + conflictingExt.getClass()
throw new IllegalArgumentException("Extension " + jaxbBoundExt + " (" + jaxbBoundExt.getClass() + ") is conflicting with " + duplicate + "(" + duplicate.getClass()
+ ") for the same XML/JAXB configuration class: " + jaxbBoundExt.getJaxbClass());
}
......@@ -98,10 +98,10 @@ public final class PdpExtensionLoader
{
if (extClass.isInstance(extension))
{
final PdpExtension conflictingExt = mutableNonJaxbBoundExtMapByClassAndId.put(extClass, extension.getId(), extension);
if (conflictingExt != null)
final PdpExtension duplicate = mutableNonJaxbBoundExtMapByClassAndId.put(extClass, extension.getId(), extension);
if (duplicate != null)
{
throw new IllegalArgumentException("Extension " + extension + " is conflicting with " + conflictingExt + " registered with same ID: " + extension.getId());
throw new IllegalArgumentException("Extension " + extension + " is conflicting with " + duplicate + " registered with same ID: " + extension.getId());
}
isValidExt = true;
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......@@ -19,7 +19,6 @@
package org.ow2.authzforce.core.pdp.impl;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
......@@ -28,6 +27,9 @@ import java.io.Reader;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
......@@ -55,8 +57,7 @@ import org.xml.sax.SAXParseException;
/**
*
* XML schema handler that can load schema file(s) from location(s) supported by {@link ResourceUtils} using any OASIS
* catalog at any location supported by {@link ResourceUtils} as well.
* XML schema handler that can load schema file(s) from location(s) supported by {@link ResourceUtils} using any OASIS catalog at any location supported by {@link ResourceUtils} as well.
*
* @version $Id: $
*/
......@@ -76,8 +77,7 @@ public final class SchemaHandler
}
@Override
public LSInput resolveResource(final String type, final String namespaceURI, final String publicId,
final String systemId, final String baseURI)
public LSInput resolveResource(final String type, final String namespaceURI, final String publicId, final String systemId, final String baseURI)
{
try
{
......@@ -94,8 +94,7 @@ public final class SchemaHandler
resolvedLocation = catalogResolver.resolvePublic(publicId, systemId);
if (_LOGGER.isDebugEnabled())
{
_LOGGER.debug("resolvePublic(publicId = {}, systemId = {}) -> {}",
new Object[] { publicId, systemId, resolvedLocation });
_LOGGER.debug("resolvePublic(publicId = {}, systemId = {}) -> {}", publicId, systemId, resolvedLocation);
}
}
if (resolvedLocation != null)
......@@ -109,9 +108,8 @@ public final class SchemaHandler
}
catch (final IOException ex)
{
final String errMsg = "Unable to resolve schema-required entity with XML catalog (location='"
+ catalogLocation + "'): type=" + type + ", namespaceURI=" + namespaceURI + ", publicId='"
+ publicId + "', systemId='" + systemId + "', baseURI='" + baseURI + "'";
final String errMsg = "Unable to resolve schema-required entity with XML catalog (location='" + catalogLocation + "'): type=" + type + ", namespaceURI=" + namespaceURI
+ ", publicId='" + publicId + "', systemId='" + systemId + "', baseURI='" + baseURI + "'";
throw new RuntimeException(errMsg, ex);
}
......@@ -142,10 +140,9 @@ public final class SchemaHandler
};
/**
* This is quite similar to org.apache.cxf.catalog.OASISCatalogManager, except it is much simplified as we don't
* need as many features. We are not using CXF's OASISCatalogManager class directly because it is part of cxf-core
* which drags many classes and dependencies on CXF we don't need. It would make more sense if OASISCatalogManager
* was part of a cxf common utility package, but it is not the case as of writing (December 2014).
* This is quite similar to org.apache.cxf.catalog.OASISCatalogManager, except it is much simplified as we don't need as many features. We are not using CXF's OASISCatalogManager class directly
* because it is part of cxf-core which drags many classes and dependencies on CXF we don't need. It would make more sense if OASISCatalogManager was part of a cxf common utility package, but it
* is not the case as of writing (December 2014).
* <p>
* WARNING: this is not immutable since getCatalog() gives access to internal catalog which is mutable.
* </p>
......@@ -188,9 +185,7 @@ public final class SchemaHandler
}
catch (final IOException e)
{
_LOGGER.warn(
"Error resolving resource needed by org.apache.xml.resolver.CatalogResolver for OASIS CatalogManager with URL: {}",
e);
_LOGGER.warn("Error resolving resource needed by org.apache.xml.resolver.CatalogResolver for OASIS CatalogManager with URL: {}", e);
}
}
return s;
......@@ -228,10 +223,10 @@ public final class SchemaHandler
{
try
{
final File file = new File(catalogURL.toURI());
if (!file.exists())
final Path filePath = Paths.get(catalogURL.toURI());
if (!Files.exists(filePath))
{
throw new FileNotFoundException(file.getAbsolutePath());
throw new FileNotFoundException(filePath.toString());
}
}
catch (final URISyntaxException e)
......@@ -242,9 +237,7 @@ public final class SchemaHandler
if (catalog == null)
{
_LOGGER.warn(
"Catalog found at {} but no org.apache.xml.resolver.CatalogManager was found. Check the classpatch for an xmlresolver jar.",
catalogURL);
_LOGGER.warn("Catalog found at {} but no org.apache.xml.resolver.CatalogManager was found. Check the classpatch for an xmlresolver jar.", catalogURL);
}
else
{
......@@ -319,8 +312,7 @@ public final class SchemaHandler
public Reader getCharacterStream()
{
/*
* No character stream, only byte streams are allowed. Do not throw exception, otherwise the resolution of
* the resource fails, even if byte stream OK
* No character stream, only byte streams are allowed. Do not throw exception, otherwise the resolution of the resource fails, even if byte stream OK
*/
return null;
// throw new UnsupportedOperationException();
......@@ -370,8 +362,7 @@ public final class SchemaHandler
public String getBaseURI()
{
/*
* No base URI, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise the
* resolution of the resource fails, even for absolute URIs
* No base URI, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise the resolution of the resource fails, even for absolute URIs
*/
return null;
// throw new UnsupportedOperationException();
......@@ -387,8 +378,7 @@ public final class SchemaHandler
public String getEncoding()
{
/*
* No encoding override, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise
* the resolution of the resource fails, even if encoding specified in other way
* No encoding override, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise the resolution of the resource fails, even if encoding specified in other way
*/
return null;
// throw new UnsupportedOperationException();
......@@ -461,11 +451,9 @@ public final class SchemaHandler
public static Schema createSchema(final List<String> schemaLocations, final String catalogLocation)
{
/*
* This is mostly similar to org.apache.cxf.jaxrs.utils.schemas.SchemaHandler#createSchema(), except we are
* using Spring ResourceUtils class to get Resource URLs and we don't use any Bus object. We are not using CXF's
* SchemaHandler class directly because it is part of cxf-rt-frontend-jaxrs which drags many dependencies on CXF
* we don't need, the full CXF JAX-RS framework actually. It would make more sense if SchemaHandler was part of
* some cxf common utility package, but it is not the case as of writing (December 2014).
* This is mostly similar to org.apache.cxf.jaxrs.utils.schemas.SchemaHandler#createSchema(), except we are using Spring ResourceUtils class to get Resource URLs and we don't use any Bus
* object. We are not using CXF's SchemaHandler class directly because it is part of cxf-rt-frontend-jaxrs which drags many dependencies on CXF we don't need, the full CXF JAX-RS framework
* actually. It would make more sense if SchemaHandler was part of some cxf common utility package, but it is not the case as of writing (December 2014).
*/
final SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......
/**
* Copyright (C) 2012-2016 Thales Services SAS.
* Copyright (C) 2012-2017 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
......@@ -365,7 +365,6 @@ public final class ExpressionFactoryImpl implements ExpressionFactory
LOGGER.warn("Expression of Variable {} is constant '{}', therefore should be replaced with a equivalent AttributeValue.", variableId, constant);
}
variableExpression.getReturnType();
return new ConstantVariableReference<>(variableId, constant, variableExpression.getReturnType(), longestVarRefChainInExpression);
}
......@@ -422,7 +421,7 @@ public final class ExpressionFactoryImpl implements ExpressionFactory
}
final BaseVariableReference<?> var = newVariableReference(varId, varExpr, longestVarRefChainInCurrentVarExpression);
return idToVariableMap.put(varId, var);
return idToVariableMap.putIfAbsent(varId, var);