Commit a32acec7 authored by cdanger's avatar cdanger

- Changed to PDP XSD: maxVariableRefDepth/maxPolicyRefDepth attributes

made optional
- Refactoring on PolicyEvaluator classes: new PolicyEvaluators factory
class for creating policy evaluators with better-optimized support for
statically defined policies (or policy references)
- Renamed extension ID prefix from 'urn:thalesgroup:' to
'urn:ow2:authzforce' (for open source extensions), e.g. for
request/result filters, functions, etc.
parent fa49ffe3
......@@ -19,10 +19,6 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
import org.ow2.authzforce.core.pdp.api.BaseRequestFilter;
import org.ow2.authzforce.core.pdp.api.DatatypeFactoryRegistry;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
......@@ -32,6 +28,10 @@ import org.ow2.authzforce.core.pdp.api.RequestFilter;
import org.ow2.authzforce.core.pdp.api.SingleCategoryAttributes;
import org.ow2.authzforce.core.pdp.api.StatusHelper;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
/**
* Default Request filter for Individual Decision Requests only (no support of Multiple Decision Profile in particular)
*
......@@ -46,7 +46,10 @@ public final class DefaultRequestFilter extends BaseRequestFilter
*/
public static final class LaxFilterFactory implements RequestFilter.Factory
{
private static final String ID = "urn:thalesgroup:xacml:request-filter:default-lax";
/**
* Request filter ID, as returned by {@link #getId()}
*/
public static final String ID = "urn:ow2:authzforce:xacml:request-filter:default-lax";
@Override
public String getId()
......@@ -55,8 +58,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
}
@Override
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath,
Processor xmlProcessor)
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath, Processor xmlProcessor)
{
return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, true, requireContentForXPath, xmlProcessor);
}
......@@ -76,7 +78,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
*/
public static final class StrictFilterFactory implements RequestFilter.Factory
{
private static final String ID = "urn:thalesgroup:xacml:request-filter:default-strict";
private static final String ID = "urn:ow2:authzforce:xacml:request-filter:default-strict";
@Override
public String getId()
......@@ -85,23 +87,19 @@ public final class DefaultRequestFilter extends BaseRequestFilter
}
@Override
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath,
Processor xmlProcessor)
public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath, Processor xmlProcessor)
{
return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, false, requireContentForXPath, xmlProcessor);
}
}
private DefaultRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates,
boolean requireContentForXPath, Processor xmlProcessor)
private DefaultRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, Processor xmlProcessor)
{
super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, xmlProcessor);
}
@Override
public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser,
boolean isApplicablePolicyIdListReturned, boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix)
throws IndeterminateEvaluationException
public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser, boolean isApplicablePolicyIdListReturned, boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
{
/*
......@@ -123,9 +121,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
final String categoryName = jaxbAttributes.getCategory();
if (!attrCategoryNames.add(categoryName))
{
throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName
+ "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)",
StatusHelper.STATUS_SYNTAX_ERROR);
throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName + "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", StatusHelper.STATUS_SYNTAX_ERROR);
}
final SingleCategoryAttributes<?> categorySpecificAttributes = xacmlAttrsParser.parseAttributes(jaxbAttributes, xPathCompiler);
......
/**
* Copyright (C) 2012-2015 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
* AuthZForce CE is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software
* Foundation, either version 3 of the License, or (at your option) any later version.
*
* AuthZForce CE is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with AuthZForce CE. If not, see <http://www.gnu.org/licenses/>.
*/
package org.ow2.authzforce.core.pdp.impl.combining;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import net.sf.saxon.s9api.XPathCompiler;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.CombinerParameter;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DefaultsType;
import org.ow2.authzforce.core.pdp.api.CombinerParameterEvaluator;
import org.ow2.authzforce.core.pdp.api.CombiningAlgParameter;
import org.ow2.authzforce.core.pdp.api.Decidable;
import org.ow2.authzforce.core.pdp.api.ExpressionFactory;
/**
* Represents a set of CombinerParameters to a combining algorithm that may or may not be associated with a policy/rule
*
* @param <T>
* Type of combined element (Policy, Rule...) with which the CombinerParameters are associated
*/
public final class BaseCombiningAlgParameter<T extends Decidable> implements CombiningAlgParameter<T>
{
// the element to be combined
private final T element;
// the parameters used with this element
private final List<CombinerParameterEvaluator> parameters;
/**
* Constructor that takes both the element to combine and its associated combiner parameters.
*
* @param element
* combined element; null if
*
* @param jaxbCombinerParameters
* a (possibly empty) non-null <code>List</code> of <code>CombinerParameter<code>s provided for general
* use
* @param xPathCompiler
* Policy(Set) default XPath compiler, corresponding to the Policy(Set)'s default XPath version specified in {@link DefaultsType} element; null
* if none specified
* @param expFactory
* attribute value factory
* @throws IllegalArgumentException
* if if one of the CombinerParameters is invalid
*/
public BaseCombiningAlgParameter(T element, List<CombinerParameter> jaxbCombinerParameters, ExpressionFactory expFactory, XPathCompiler xPathCompiler)
throws IllegalArgumentException
{
this.element = element;
if (jaxbCombinerParameters == null)
{
this.parameters = Collections.emptyList();
} else
{
final List<CombinerParameterEvaluator> modifiableParamList = new ArrayList<>();
int paramIndex = 0;
for (CombinerParameter jaxbCombinerParam : jaxbCombinerParameters)
{
try
{
final CombinerParameterEvaluator combinerParam = new CombinerParameterEvaluator(jaxbCombinerParam, expFactory, xPathCompiler);
modifiableParamList.add(combinerParam);
} catch (IllegalArgumentException e)
{
throw new IllegalArgumentException("Error parsing CombinerParameters/CombinerParameter#" + paramIndex, e);
}
paramIndex++;
}
this.parameters = Collections.unmodifiableList(modifiableParamList);
}
}
/**
* Returns the combined element. If null, it means, this CombinerElement (i.e. all its CombinerParameters) is not associated with a particular rule
*
* @return the combined element
*/
@Override
public T getCombinedElement()
{
return element;
}
/**
* Returns the <code>CombinerParameterEvaluator</code>s associated with this element.
*
* @return a <code>List</code> of <code>CombinerParameterEvaluator</code>s
*/
@Override
public List<CombinerParameterEvaluator> getParameters()
{
return parameters;
}
}
......@@ -27,47 +27,38 @@ import org.ow2.authzforce.core.pdp.api.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.Decidable;
/**
* Combining algorithm set. Allows to group combining algorithms, especially when it is actually the
* same generic algorithm but with different IDs, such as most standard algorithms which are the
* same for policy combining and rule combining algorithm IDs.
* Combining algorithm set. Allows to group combining algorithms, especially when it is actually the same generic algorithm but with different IDs, such as most
* standard algorithms which are the same for policy combining and rule combining algorithm IDs.
*
* TODO: consider making it a PdpExtension like FunctionSet, or generic PdpExtensionSet
*/
public class CombiningAlgSet
{
// /**
// * Namespace to be used as default prefix for internal algorithm set IDs
// */
// public static final String DEFAULT_ID_NAMESPACE = "urn:thalesgroup:xacml:combining-algorithm-set:";
// private final String id;
private final Set<CombiningAlg<?>> algs;
/**
// * @param id
// * globally unique ID of this function set, to be used as PDP extension ID
* Creates set from multiple combining algorithms
*
* @param algorithms
*/
public CombiningAlgSet(/*String id,*/ CombiningAlg<?>... algorithms)
public CombiningAlgSet(CombiningAlg<?>... algorithms)
{
this(/*id,*/ new HashSet<>(Arrays.asList(algorithms)));
this(new HashSet<>(Arrays.asList(algorithms)));
}
/**
// * @param id
* Creates a set as a copy of an existing set
*
* @param algorithms
*/
public CombiningAlgSet(/*String id,*/ Set<CombiningAlg<?>> algorithms)
public CombiningAlgSet(Set<CombiningAlg<?>> algorithms)
{
// this.id = id;
this.algs = Collections.unmodifiableSet(algorithms);
}
/**
* Returns a single instance of each of the functions supported by some class. The
* <code>Set</code> must contain instances of <code>Function</code>, and it must be both
* non-null and non-empty. It may contain only a single <code>Function</code>.
* Returns a single instance of each of the functions supported by some class. The <code>Set</code> must contain instances of <code>Function</code>, and it
* must be both non-null and non-empty. It may contain only a single <code>Function</code>.
*
* @return the functions members of this group
*/
......@@ -75,11 +66,5 @@ public class CombiningAlgSet
{
return algs;
}
//
// @Override
// public String getId()
// {
// return id;
// }
}
......@@ -15,8 +15,6 @@ package org.ow2.authzforce.core.pdp.impl.combining;
import java.util.List;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
import org.ow2.authzforce.core.pdp.api.BaseCombiningAlg;
import org.ow2.authzforce.core.pdp.api.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.CombiningAlgParameter;
......@@ -25,6 +23,8 @@ import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.impl.BaseDecisionResult;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
/**
* Deny-unless-permit combining algorithm
*
......@@ -53,20 +53,20 @@ public final class DenyUnlessPermitAlg extends BaseCombiningAlg<Decidable>
final DecisionType decision = policyResult.getDecision();
switch (decision)
{
case PERMIT:
return policyResult;
case DENY:
// merge result (obligations/advice/mached policy IDs)
if (combinedDenyResult == null)
{
combinedDenyResult = policyResult;
} else
{
combinedDenyResult.merge(policyResult.getPepActions(), policyResult.getApplicablePolicyIdList());
}
break;
default:
continue;
case PERMIT:
return policyResult;
case DENY:
// merge result (obligations/advice/mached policy IDs)
if (combinedDenyResult == null)
{
combinedDenyResult = policyResult;
} else
{
combinedDenyResult.merge(policyResult.getPepActions(), policyResult.getApplicablePolicyIdList());
}
break;
default:
continue;
}
}
......@@ -76,23 +76,20 @@ public final class DenyUnlessPermitAlg extends BaseCombiningAlg<Decidable>
}
@Override
public CombiningAlg.Evaluator getInstance(List<CombiningAlgParameter<? extends Decidable>> params, List<? extends Decidable> combinedElements)
throws UnsupportedOperationException, IllegalArgumentException
public CombiningAlg.Evaluator getInstance(List<CombiningAlgParameter<? extends Decidable>> params, List<? extends Decidable> combinedElements) throws UnsupportedOperationException, IllegalArgumentException
{
return new Evaluator(combinedElements);
}
/**
* The standard URIs used to identify this algorithm
* The standard URIs used to identify this algorithm; first one is for policy combinging, second one for rule combining.
*/
static final String[] SUPPORTED_IDENTIFIERS = { "urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit",
"urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" };
static final String[] SUPPORTED_IDENTIFIERS = { "urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit", "urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" };
/**
* Supported algorithms
*/
public static final CombiningAlgSet SET = new CombiningAlgSet(new DenyUnlessPermitAlg(SUPPORTED_IDENTIFIERS[0]), new DenyUnlessPermitAlg(
SUPPORTED_IDENTIFIERS[1]));
public static final CombiningAlgSet SET = new CombiningAlgSet(new DenyUnlessPermitAlg(SUPPORTED_IDENTIFIERS[0]), new DenyUnlessPermitAlg(SUPPORTED_IDENTIFIERS[1]));
private DenyUnlessPermitAlg(String algId)
{
......
......@@ -20,7 +20,7 @@ import org.ow2.authzforce.core.pdp.api.CombiningAlg;
import org.ow2.authzforce.core.pdp.api.CombiningAlgParameter;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.api.IPolicyEvaluator;
import org.ow2.authzforce.core.pdp.api.PolicyEvaluator;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.StatusHelper;
import org.ow2.authzforce.core.pdp.impl.BaseDecisionResult;
......@@ -31,7 +31,7 @@ import org.slf4j.LoggerFactory;
* This is the standard only-one-applicable policy combining algorithm.
*
*/
public class OnlyOneApplicableAlg extends BaseCombiningAlg<IPolicyEvaluator>
public class OnlyOneApplicableAlg extends BaseCombiningAlg<PolicyEvaluator>
{
private static class Evaluator implements CombiningAlg.Evaluator
{
......@@ -40,9 +40,9 @@ public class OnlyOneApplicableAlg extends BaseCombiningAlg<IPolicyEvaluator>
private static final BaseDecisionResult TOO_MANY_APPLICABLE_POLICIES_INDETERMINATE_RESULT = new BaseDecisionResult(new StatusHelper(
StatusHelper.STATUS_PROCESSING_ERROR, "Too many (more than one) applicable policies for algorithm: " + ID));
private final List<? extends IPolicyEvaluator> policyElements;
private final List<? extends PolicyEvaluator> policyElements;
private Evaluator(List<? extends IPolicyEvaluator> policyElements)
private Evaluator(List<? extends PolicyEvaluator> policyElements)
{
this.policyElements = policyElements;
}
......@@ -51,9 +51,9 @@ public class OnlyOneApplicableAlg extends BaseCombiningAlg<IPolicyEvaluator>
public DecisionResult eval(EvaluationContext context)
{
// atLeastOne == true iff selectedPolicy != null
IPolicyEvaluator selectedPolicy = null;
PolicyEvaluator selectedPolicy = null;
for (final IPolicyEvaluator policy : policyElements)
for (final PolicyEvaluator policy : policyElements)
{
// see if the policy applies to the context
final boolean isApplicable;
......@@ -93,7 +93,7 @@ public class OnlyOneApplicableAlg extends BaseCombiningAlg<IPolicyEvaluator>
}
@Override
public Evaluator getInstance(List<CombiningAlgParameter<? extends IPolicyEvaluator>> params, List<? extends IPolicyEvaluator> combinedElements)
public Evaluator getInstance(List<CombiningAlgParameter<? extends PolicyEvaluator>> params, List<? extends PolicyEvaluator> combinedElements)
{
return new Evaluator(combinedElements);
}
......@@ -108,7 +108,7 @@ public class OnlyOneApplicableAlg extends BaseCombiningAlg<IPolicyEvaluator>
*/
public OnlyOneApplicableAlg()
{
super(ID, IPolicyEvaluator.class);
super(ID, PolicyEvaluator.class);
}
}
......@@ -29,7 +29,7 @@ public class BaseFunctionSet implements FunctionSet
/**
* Namespace to be used as default prefix for internal function set IDs
*/
public static final String DEFAULT_ID_NAMESPACE = "urn:thalesgroup:xacml:function-set:";
public static final String DEFAULT_ID_NAMESPACE = "urn:ow2:authzforce:xacml:function-set:";
private final String id;
......
......@@ -13,21 +13,24 @@
*/
package org.ow2.authzforce.core.pdp.impl.policy;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
import org.ow2.authzforce.core.pdp.api.BaseStaticRootPolicyProviderModule;
import org.ow2.authzforce.core.pdp.api.CombiningAlgRegistry;
import org.ow2.authzforce.core.pdp.api.EnvironmentProperties;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.api.ExpressionFactory;
import org.ow2.authzforce.core.pdp.api.IPolicyEvaluator;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.JaxbXACMLUtils.XACMLParserFactory;
import org.ow2.authzforce.core.pdp.api.RefPolicyProviderModule;
import org.ow2.authzforce.core.pdp.api.RootPolicyProviderModule;
import org.ow2.authzforce.core.pdp.api.StaticTopLevelPolicyElementEvaluator;
import org.ow2.authzforce.core.pdp.api.TopLevelPolicyElementEvaluator;
import org.ow2.authzforce.core.pdp.api.TopLevelPolicyElementType;
import org.ow2.authzforce.core.pdp.api.VersionPatterns;
import org.ow2.authzforce.core.xmlns.pdp.StaticRefBasedRootPolicyProvider;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyProvider;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.IdReferenceType;
/**
* This Root policy provider module retrieves the root policy from a {@link RefPolicyProviderModule} statically (once and for all), based on a XACML
* PolicySetIdReference.
......@@ -51,22 +54,18 @@ public class CoreRefBasedRootPolicyProviderModule extends BaseStaticRootPolicyPr
}
@Override
public <REF_POLICY_PROVIDER_CONF extends AbstractPolicyProvider> RootPolicyProviderModule getInstance(StaticRefBasedRootPolicyProvider jaxbConf,
XACMLParserFactory xacmlParserFactory, ExpressionFactory expressionFactory, CombiningAlgRegistry combiningAlgRegistry,
REF_POLICY_PROVIDER_CONF jaxbRefPolicyProviderConf, RefPolicyProviderModule.Factory<REF_POLICY_PROVIDER_CONF> refPolicyProviderModuleFactory,
int maxPolicySetRefDepth, EnvironmentProperties environmentProperties)
public <REF_POLICY_PROVIDER_CONF extends AbstractPolicyProvider> RootPolicyProviderModule getInstance(StaticRefBasedRootPolicyProvider jaxbConf, XACMLParserFactory xacmlParserFactory, ExpressionFactory expressionFactory, CombiningAlgRegistry combiningAlgRegistry, REF_POLICY_PROVIDER_CONF jaxbRefPolicyProviderConf, RefPolicyProviderModule.Factory<REF_POLICY_PROVIDER_CONF> refPolicyProviderModuleFactory, int maxPolicySetRefDepth, EnvironmentProperties environmentProperties)
{
if (jaxbConf == null)
{
throw ILLEGAL_XML_CONF_ARG_EXCEPTION;
}
return new CoreRefBasedRootPolicyProviderModule(jaxbConf.getPolicyRef(), expressionFactory, combiningAlgRegistry, xacmlParserFactory,
jaxbRefPolicyProviderConf, refPolicyProviderModuleFactory, maxPolicySetRefDepth, environmentProperties);
return new CoreRefBasedRootPolicyProviderModule(jaxbConf.getPolicyRef(), expressionFactory, combiningAlgRegistry, xacmlParserFactory, jaxbRefPolicyProviderConf, refPolicyProviderModuleFactory, maxPolicySetRefDepth, environmentProperties);
}
}
private final IPolicyEvaluator rootPolicy;
private final StaticTopLevelPolicyElementEvaluator rootPolicy;
/**
* Creates instance with the root PolicySet retrieved from the refPolicyprovider once and for all
......@@ -94,13 +93,9 @@ public class CoreRefBasedRootPolicyProviderModule extends BaseStaticRootPolicyPr
* {@code jaxbRefPolicyProviderConf != null && (expressionFactory == null || combiningAlgRegistry == null || xacmlParserFactory == null)} or no
* PolicySet matching {@code policySetRef} could be resolved by the refPolicyProvider
*/
public <CONF extends AbstractPolicyProvider> CoreRefBasedRootPolicyProviderModule(IdReferenceType policyRef, ExpressionFactory expressionFactory,
CombiningAlgRegistry combiningAlgRegistry, XACMLParserFactory xacmlParserFactory, CONF jaxbRefPolicyProviderConf,
RefPolicyProviderModule.Factory<CONF> refPolicyProviderModFactory, int maxPolicySetRefDepth, EnvironmentProperties environmentProperties)
throws IllegalArgumentException
public <CONF extends AbstractPolicyProvider> CoreRefBasedRootPolicyProviderModule(IdReferenceType policyRef, ExpressionFactory expressionFactory, CombiningAlgRegistry combiningAlgRegistry, XACMLParserFactory xacmlParserFactory, CONF jaxbRefPolicyProviderConf, RefPolicyProviderModule.Factory<CONF> refPolicyProviderModFactory, int maxPolicySetRefDepth, EnvironmentProperties environmentProperties) throws IllegalArgumentException
{
super(expressionFactory, combiningAlgRegistry, xacmlParserFactory, jaxbRefPolicyProviderConf, refPolicyProviderModFactory, maxPolicySetRefDepth,
environmentProperties);
super(expressionFactory, combiningAlgRegistry, xacmlParserFactory, jaxbRefPolicyProviderConf, refPolicyProviderModFactory, maxPolicySetRefDepth, environmentProperties);
if (policyRef == null)
{
throw ILLEGAL_XACML_POLICY_REF_ARG_EXCEPTION;
......@@ -110,22 +105,26 @@ public class CoreRefBasedRootPolicyProviderModule extends BaseStaticRootPolicyPr
final VersionPatterns versionPatterns = new VersionPatterns(policyRef.getVersion(), policyRef.getEarliestVersion(), policyRef.getLatestVersion());
try
{
rootPolicy = refPolicyProvider.get(IPolicyEvaluator.class, policySetId, versionPatterns, null);
rootPolicy = refPolicyProvider.get(TopLevelPolicyElementType.POLICY_SET, policySetId, versionPatterns, null);
} catch (IndeterminateEvaluationException e)
{
throw new IllegalArgumentException("Error resolving/instantiating the root policy matching PolicySetIdReference: PolicySetId = " + policySetId
+ "; " + versionPatterns, e);
throw new IllegalArgumentException("Failed to find a root PolicySet with id = " + policySetId + ", " + versionPatterns, e);
}
if (rootPolicy == null)
{
throw new IllegalArgumentException("No policy found by the refPolicyProvider for the specified PolicySetIdReference: PolicySetId = " + policySetId
+ "; " + versionPatterns);
throw new IllegalArgumentException("No policy found by the refPolicyProvider for the specified PolicySetIdReference: PolicySetId = " + policySetId + "; " + versionPatterns);
}
}
@Override
public IPolicyEvaluator getRootPolicy()
public StaticTopLevelPolicyElementEvaluator getPolicy()
{
return rootPolicy;
}
@Override
public TopLevelPolicyElementEvaluator getPolicy(EvaluationContext context) throws IndeterminateEvaluationException, IllegalArgumentException
{
return rootPolicy;
}
......
/**
* Copyright (C) 2012-2015 Thales Services SAS.
*
* This file is part of AuthZForce CE.
*
* AuthZForce CE is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software
* Foundation, either version 3 of the License, or (at your option) any later version.
*
* AuthZForce CE is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with AuthZForce CE. If not, see <http://www.gnu.org/licenses/>.
*/
package org.ow2.authzforce.core.pdp.impl.policy;
import java.util.Deque;
import java.util.List;
import java.util.Map;
import org.ow2.authzforce.core.pdp.api.DecisionResult;
import org.ow2.authzforce.core.pdp.api.EvaluationContext;
import org.ow2.authzforce.core.pdp.api.IPolicyEvaluator;
import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
import org.ow2.authzforce.core.pdp.api.PolicyVersion;
import org.ow2.authzforce.core.pdp.api.RefPolicyProvider;
import org.ow2.authzforce.core.pdp.api.StatusHelper;
import org.ow2.authzforce.core.pdp.api.VersionPatterns;
import org.ow2.authzforce.core.pdp.impl.BaseDecisionResult;
import com.sun.xacml.ParsingException;
class DynamicPolicyRefEvaluator<T extends IPolicyEvaluator> extends PolicyReferenceEvaluator<T>
{
private static final UnsupportedOperationException UNSUPPORTED_DYNAMIC_GET_COMBINING_ALG_ID = new UnsupportedOperationException(
"Unable to get Combining algorithm ID out of context for a dynamic PolicyReference");
// this policyProvider to use in finding the referenced policy
private final transient RefPolicyProvider refPolicyProvider;
/*
* Chain of Policy Reference leading from root policy down to this reference (excluded) (Do not use a Queue as it is
* FIFO, and we need LIFO and iteration in order of insertion, so different from Collections.asLifoQueue(Deque) as
* well.)
*/
private final transient Deque<String> ancestorPolicyRefChain;
DynamicPolicyRefEvaluator(String policyIdRef, VersionPatterns versionConstraints, Class<T> policyReferenceType,
RefPolicyProvider refPolicyProvider, Deque<String> ancestorPolicyRefChain)
{
super(policyIdRef, versionConstraints, policyReferenceType);
if (refPolicyProvider == null)
{
throw new IllegalArgumentException("Undefined policy policyProvider");
}
this.refPolicyProvider = refPolicyProvider;
this.ancestorPolicyRefChain = ancestorPolicyRefChain;
}
/**
* Resolves this to the actual Policy
*
* @throws ParsingException
* Error parsing the policy referenced by this. The referenced policy may be parsed on the fly, when
* calling this method.
* @throws IndeterminateEvaluationException
* if error determining the policy referenced by this, e.g. if more than one policy is found
*/
private T resolve() throws ParsingException, IndeterminateEvaluationException
{
return refPolicyProvider.get(this.referredPolicyClass, this.refPolicyId, this.versionConstraints,
ancestorPolicyRefChain);
}
@Override
public final DecisionResult evaluate(EvaluationContext context, boolean skipTarget)
{
// we must have found a policy
try
{
return resolve().evaluate(context, skipTarget);
} catch (IndeterminateEvaluationException e)
{
LOGGER.info("Error resolving {} to the policy to evaluate in the request context", this, e);
return new BaseDecisionResult(e.getStatus());
} catch (ParsingException e)
{
LOGGER.info("Error resolving {} to the policy to evaluate in the request context", this, e);
return e.getIndeterminateResult();
}
}
@Override
public final boolean isApplicable(EvaluationContext context) throws IndeterminateEvaluationException
{
try
{
return resolve().isApplicable(context);
} catch (ParsingException e)
{
throw new IndeterminateEvaluationException("Error resolving " + this
+ " to check whether the referenced policy is applicable to the request context",
StatusHelper.STATUS_SYNTAX_ERROR, e);
}
}
@Override
public String getCombiningAlgId()
{
throw UNSUPPORTED_DYNAMIC_GET_COMBINING_ALG_ID;
}
@Override
public List<String> getLongestPolicyReferenceChain()
{
// computed dynamically at evaluation time, see resolve() method
return null;
}
@Override
public Map<String, PolicyVersion> getStaticRefPolicies()
{
// this is not static
return null;
}
@Override
public PolicyVersion getPolicyVersion()
{
// Version is not statically defined
return null;
}
}
\ No newline at end of file
/**
* Copyright (C) 2011-2015 Thales Services SAS.
*
* This file is part of AuthZForce.